Sign-up

ID

VAR-201211-0272


CVE

CVE-2012-4955


TITLE

Dell OpenManage Server Administrator Cross-site scripting vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2012-005363 // CNNVD: CNNVD-201211-268

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Dell OpenManage Server Administrator (OMSA) before 6.5.0.1, 7.0 before 7.0.0.1, and 7.1 before 7.1.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dell OpenManage Server Administrator (OMSA) is a system management solution of Dell (Dell). The solution supports online diagnosis, system operation detection, equipment management, etc. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Dell OpenManage Server Administrator Unspecified Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA51297 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51297/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51297 RELEASE DATE: 2012-11-15 DISCUSS ADVISORY: http://secunia.com/advisories/51297/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51297/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51297 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Dell OpenManage Server Administrator, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. SOLUTION: Update to a fixed version. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor and David Ferrest via US-CERT. ORIGINAL ADVISORY: US-CERT: http://www.kb.cert.org/vuls/id/558132 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2012-4955 // CERT/CC: VU#558132 // JVNDB: JVNDB-2012-005363 // BID: 56518 // VULHUB: VHN-58236 // PACKETSTORM: 118125

AFFECTED PRODUCTS

vendor:dellmodel:openmanage server administratorscope:eqversion:5.1.0

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:4.3.0

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:5.0.0

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:5.2.0

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:4.4.0

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:1.00.0000

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:7.1.0

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:4.5.0

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:5.1.0.1

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:7.0.0

Trust: 1.6

vendor:dellmodel:openmanage server administratorscope:eqversion:5.5.0

Trust: 1.0

vendor:dellmodel:openmanage server administratorscope:eqversion:6.3.0

Trust: 1.0

vendor:dellmodel:openmanage server administratorscope:eqversion:5.3.0

Trust: 1.0

vendor:dellmodel:openmanage server administratorscope:lteversion:6.5.0

Trust: 1.0

vendor:dellmodel:openmanage server administratorscope:eqversion:6.2.0

Trust: 1.0

vendor:dellmodel:openmanage server administratorscope:eqversion:5.4.0

Trust: 1.0

vendor:dellmodel:openmanage server administratorscope:eqversion:5.5.0.1

Trust: 1.0

vendor:dellmodel:openmanage server administratorscope:eqversion:6.4.0

Trust: 1.0

vendor:dell computermodel: - scope: - version: -

Trust: 0.8

vendor:dellmodel:openmanage server administratorscope:ltversion:version 6.5.0.1 earlier

Trust: 0.8

vendor:dellmodel:openmanage server administratorscope:ltversion:version 7.0.0.1 earlier

Trust: 0.8

vendor:dellmodel:openmanage server administratorscope:ltversion:version 7.1.0.1 earlier

Trust: 0.8

sources: CERT/CC: VU#558132 // JVNDB: JVNDB-2012-005363 // CNNVD: CNNVD-201211-268 // NVD: CVE-2012-4955

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2012-4955
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2012-4955
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-201211-268
value: MEDIUM

Trust: 0.6

VULHUB: VHN-58236
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2012-4955
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2012-4955
severity: MEDIUM
baseScore: 5.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-58236
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#558132 // VULHUB: VHN-58236 // JVNDB: JVNDB-2012-005363 // CNNVD: CNNVD-201211-268 // NVD: CVE-2012-4955

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-58236 // JVNDB: JVNDB-2012-005363 // NVD: CVE-2012-4955

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201211-268

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 118125 // CNNVD: CNNVD-201211-268

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-005363

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#558132

PATCH
title:DELL OpenManage Server Administrator Managed Node Patch for OM7.0url:https://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/poweredge-r710?driverId=PCXMR
Trust: 0.8
title:DELL OpenManage Server Administrator Managed Node Patch for OM6.5url:https://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/poweredge-r710?driverId=JJMWP
Trust: 0.8
title:DELL OpenManage Server Administrator Managed Node Patch for OM7.1url:https://www.dell.com/support/drivers/us/en/19/DriverDetails/Product/poweredge-r710?driverId=5JDN0
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2012-005363

EXTERNAL IDS
db:CERT/CCid:VU#558132
Trust: 3.4
db:NVDid:CVE-2012-4955
Trust: 2.8
db:BIDid:56518
Trust: 2.0
db:SECUNIAid:51297
Trust: 1.3
db:OSVDBid:87405
Trust: 1.1
db:JVNDBid:JVNDB-2012-005363
Trust: 0.8
db:CNNVDid:CNNVD-201211-268
Trust: 0.7
db:VULHUBid:VHN-58236
Trust: 0.1
db:PACKETSTORMid:118125
Trust: 0.1
sources:
            
            
            CERT/CC: VU#558132 // 
            
            
            
            VULHUB: VHN-58236 // 
            
            
            
            BID: 56518 // 
            
            
            
            JVNDB: JVNDB-2012-005363 // 
            
            
            
            PACKETSTORM: 118125 // 
            
            
            
            CNNVD: CNNVD-201211-268 // 
            
            
            
            NVD: CVE-2012-4955

REFERENCES
url:http://www.kb.cert.org/vuls/id/558132
Trust: 2.6
url:http://www.dell.com/support/drivers/us/en/19/driverdetails/product/poweredge-r710?driverid=5jdn0&oscode=wnet&fileid=3082293694
Trust: 2.4
url:http://www.dell.com/support/drivers/us/en/19/driverdetails/product/poweredge-r710?driverid=pcxmr&oscode=wnet&fileid=3082295344
Trust: 2.4
url:http://www.dell.com/support/drivers/us/en/19/driverdetails/product/poweredge-r710?driverid=jjmwp&oscode=wnet&fileid=3082295338
Trust: 2.4
url:http://www.securityfocus.com/bid/56518
Trust: 1.7
url:http://osvdb.org/87405
Trust: 1.1
url:http://secunia.com/advisories/51297
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/80071
Trust: 1.1
url:http://cwe.mitre.org/data/definitions/79.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4955
Trust: 0.8
url:http://jvn.jp/cert/jvnvu558132
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-4955
Trust: 0.8
url:http://dell.com
Trust: 0.3
url:http://www.dell.com/support/drivers/us/en/19/driverdetails/product/poweredge-r710?driverid=5jdn0&oscode=wnet&fileid=3082293694
Trust: 0.1
url:http://www.dell.com/support/drivers/us/en/19/driverdetails/product/poweredge-r710?driverid=jjmwp&oscode=wnet&fileid=3082295338
Trust: 0.1
url:http://www.dell.com/support/drivers/us/en/19/driverdetails/product/poweredge-r710?driverid=pcxmr&oscode=wnet&fileid=3082295344
Trust: 0.1
url:http://secunia.com/advisories/51297/#comments
Trust: 0.1
url:http://secunia.com/vulnerability_intelligence/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
Trust: 0.1
url:http://secunia.com/advisories/51297/
Trust: 0.1
url:https://ca.secunia.com/?page=viewadvisory&vuln_id=51297
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/personal/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/blog/325/
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#558132 // 
            
            
            
            VULHUB: VHN-58236 // 
            
            
            
            BID: 56518 // 
            
            
            
            JVNDB: JVNDB-2012-005363 // 
            
            
            
            PACKETSTORM: 118125 // 
            
            
            
            CNNVD: CNNVD-201211-268 // 
            
            
            
            NVD: CVE-2012-4955

CREDITS
David Ferrest and Dell
Trust: 0.9
sources:
            
            
            BID: 56518 // 
            
            
            
            CNNVD: CNNVD-201211-268

SOURCES
db:CERT/CCid:VU#558132
db:VULHUBid:VHN-58236
db:BIDid:56518
db:JVNDBid:JVNDB-2012-005363
db:PACKETSTORMid:118125
db:CNNVDid:CNNVD-201211-268
db:NVDid:CVE-2012-4955

LAST UPDATE DATE
2025-04-11T22:53:30.780000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#558132date:2012-11-14T00:00:00
db:VULHUBid:VHN-58236date:2017-08-29T00:00:00
db:BIDid:56518date:2012-11-14T00:00:00
db:JVNDBid:JVNDB-2012-005363date:2012-11-16T00:00:00
db:CNNVDid:CNNVD-201211-268date:2012-11-21T00:00:00
db:NVDid:CVE-2012-4955date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:CERT/CCid:VU#558132date:2012-11-14T00:00:00
db:VULHUBid:VHN-58236date:2012-11-15T00:00:00
db:BIDid:56518date:2012-11-14T00:00:00
db:JVNDBid:JVNDB-2012-005363date:2012-11-16T00:00:00
db:PACKETSTORMid:118125date:2012-11-15T11:04:27
db:CNNVDid:CNNVD-201211-268date:2012-11-16T00:00:00
db:NVDid:CVE-2012-4955date:2012-11-15T11:58:40.167