Remote DOM XSS and CRLF Injection in HPE Integrated Lights-Out and SimpliVity Products
CVE-2021-29210

4.8MEDIUM

Key Information:

Vendor: HP
Status: HPe Integrated Lights-out 4 (ilo 4) For HPe Gen9 Servers; HPe Integrated Lights-out 5 (ilo 5) For HPe Gen10 Servers
Vendor: CVE Published:; 25 May 2021

Summary

A remote DOM-based cross-site scripting (XSS) and carriage return line feed (CRLF) injection vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) and various HPE SimpliVity models. This issue affects versions prior to 2.78, potentially allowing attackers to exploit the vulnerabilities for unauthorized actions, leading to elevated access privileges or manipulation of data. Users are urged to update their systems and apply necessary patches to mitigate the risks associated with this vulnerability.

Affected Version(s)

HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers Prior to HPE Integrated Lights-Out 4 (iLO 4) version 2.78

HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers Prior to HPE Integrated Lights-Out 5 (iLO 5) version 2.44

HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers = unspecified

References

https://support.hpe.com/hpsc/doc/public/display?docLocale...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 25, 2021
Vulnerability Reserved
Mar 25, 2021