Details of VAR-201309-0223

ID

VAR-201309-0223

CVE

CVE-2013-3589

TITLE

Dell iDRAC 6 and iDRAC 7 are vulnerable to a cross-site scripting (XSS) attack

Trust: 0.8

sources: CERT/CC: VU#920038

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the login page in the Administrative Web Interface on Dell iDRAC6 monolithic devices with firmware before 1.96 and iDRAC7 devices with firmware before 1.46.45 allows remote attackers to inject arbitrary web script or HTML via the ErrorMsg parameter. DELL Provided by integrated Dell Remote Access Controller (iDRAC) Contains a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. This solution provides functions such as remote management, crash recovery and power control for Dell PowerEdge systems

Trust: 2.79

sources: NVD: CVE-2013-3589 // CERT/CC: VU#920038 // JVNDB: JVNDB-2013-004284 // BID: 62598 // VULHUB: VHN-63591 // VULMON: CVE-2013-3589

AFFECTED PRODUCTS

vendor:	dell	model:	idrac6	scope:	eq	version:	1.3	Trust: 1.6
vendor:	dell	model:	idrac6	scope:	eq	version:	1.6	Trust: 1.6
vendor:	dell	model:	idrac6	scope:	eq	version:	1.0	Trust: 1.6
vendor:	dell	model:	idrac6	scope:	eq	version:	1.5	Trust: 1.6
vendor:	dell	model:	idrac6	scope:	eq	version:	1.1	Trust: 1.6
vendor:	dell	model:	idrac6	scope:	eq	version:	1.2	Trust: 1.6
vendor:	dell	model:	idrac7	scope:	eq	version:	1.37.35	Trust: 1.6
vendor:	dell	model:	idrac6	scope:	eq	version:	1.8	Trust: 1.6
vendor:	dell	model:	idrac6	scope:	lte	version:	1.95	Trust: 1.0
vendor:	dell	model:	idrac6 monolithic	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	idrac7	scope:	eq	version:	1.20.20	Trust: 1.0
vendor:	dell	model:	idrac7	scope:	lte	version:	1.40.40	Trust: 1.0
vendor:	dell	model:	idrac7	scope:	eq	version:	1.23.23	Trust: 1.0
vendor:	dell	model:	idrac7	scope:	eq	version:	1.10.10	Trust: 1.0
vendor:	dell	model:	idrac7	scope:	eq	version:	-	Trust: 1.0
vendor:	dell	model:	idrac7	scope:	eq	version:	1.06.06	Trust: 1.0
vendor:	dell	model:	idrac7	scope:	eq	version:	1.00.00	Trust: 1.0
vendor:	dell computer	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	idrac6 monolithic	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	idrac6	scope:	lte	version:	version 1.41	Trust: 0.8
vendor:	dell	model:	idrac7	scope:	eq	version:	( all models )	Trust: 0.8
vendor:	dell	model:	idrac7	scope:	lte	version:	version 1.40.40	Trust: 0.8
vendor:	dell	model:	idrac7	scope:	eq	version:	1.40.40	Trust: 0.6
vendor:	dell	model:	idrac6	scope:	eq	version:	1.95	Trust: 0.6

sources: CERT/CC: VU#920038 // JVNDB: JVNDB-2013-004284 // CNNVD: CNNVD-201309-419 // NVD: CVE-2013-3589

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-3589
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-3589
value:	HIGH
Trust: 0.8
NVD:	CVE-2013-3589
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201309-419
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-63591
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2013-3589
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2013-3589
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
NVD:	CVE-2013-3589
severity:	HIGH
baseScore:	8.5
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-63591
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#920038 // VULHUB: VHN-63591 // VULMON: CVE-2013-3589 // JVNDB: JVNDB-2013-004284 // CNNVD: CNNVD-201309-419 // NVD: CVE-2013-3589

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 2.7

sources: CERT/CC: VU#920038 // VULHUB: VHN-63591 // JVNDB: JVNDB-2013-004284 // NVD: CVE-2013-3589

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201309-419

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201309-419

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004284

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#920038

PATCH

title:	Systems Management - iDRAC6 Home	url:	http://en.community.dell.com/techcenter/systems-management/w/wiki/4357.idrac6-home.aspx	Trust: 0.8
title:	-	url:	https://github.com/chnzzh/iDRAC-CVE-lib	Trust: 0.1

sources: VULMON: CVE-2013-3589 // JVNDB: JVNDB-2013-004284

EXTERNAL IDS

db:	CERT/CC	id:	VU#920038	Trust: 3.4
db:	NVD	id:	CVE-2013-3589	Trust: 2.9
db:	BID	id:	62598	Trust: 1.0
db:	JVN	id:	JVNVU96078234	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-004284	Trust: 0.8
db:	CNNVD	id:	CNNVD-201309-419	Trust: 0.7
db:	CERT/CC	id:	HTTP://WWW.KB.CERT.ORG/VULS/ID/BLUU-997QVW	Trust: 0.6
db:	VULHUB	id:	VHN-63591	Trust: 0.1
db:	VULMON	id:	CVE-2013-3589	Trust: 0.1

sources: CERT/CC: VU#920038 // VULHUB: VHN-63591 // VULMON: CVE-2013-3589 // BID: 62598 // JVNDB: JVNDB-2013-004284 // CNNVD: CNNVD-201309-419 // NVD: CVE-2013-3589

REFERENCES

url:	http://www.kb.cert.org/vuls/id/920038	Trust: 2.7
url:	http://www.kb.cert.org/vuls/id/bluu-997qvw	Trust: 2.6
url:	http://cwe.mitre.org/data/definitions/79.html	Trust: 0.9
url:	http://en.community.dell.com/techcenter/systems-management/w/wiki/4357.idrac6-home.aspx	Trust: 0.8
url:	http://www.dell.com/learn/us/en/555/solutions/integrated-dell-remote-access-controller-idrac	Trust: 0.8
url:	http://support.dell.com/	Trust: 0.8
url:	http://dell.com/support/	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-3589	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu96078234/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-3589	Trust: 0.8
url:	http://www.securityfocus.com/bid/62598	Trust: 0.6
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=30950	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CERT/CC: VU#920038 // VULHUB: VHN-63591 // VULMON: CVE-2013-3589 // JVNDB: JVNDB-2013-004284 // CNNVD: CNNVD-201309-419 // NVD: CVE-2013-3589

CREDITS

Tudor Enache of Help AG Middle East

Trust: 0.9

sources: BID: 62598 // CNNVD: CNNVD-201309-419

SOURCES

db:	CERT/CC	id:	VU#920038
db:	VULHUB	id:	VHN-63591
db:	VULMON	id:	CVE-2013-3589
db:	BID	id:	62598
db:	JVNDB	id:	JVNDB-2013-004284
db:	CNNVD	id:	CNNVD-201309-419
db:	NVD	id:	CVE-2013-3589

LAST UPDATE DATE

2025-04-11T22:48:35.586000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#920038	date:	2013-09-24T00:00:00
db:	VULHUB	id:	VHN-63591	date:	2013-09-25T00:00:00
db:	VULMON	id:	CVE-2013-3589	date:	2013-09-25T00:00:00
db:	BID	id:	62598	date:	2013-09-23T00:00:00
db:	JVNDB	id:	JVNDB-2013-004284	date:	2013-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201309-419	date:	2013-09-25T00:00:00
db:	NVD	id:	CVE-2013-3589	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#920038	date:	2013-09-23T00:00:00
db:	VULHUB	id:	VHN-63591	date:	2013-09-24T00:00:00
db:	VULMON	id:	CVE-2013-3589	date:	2013-09-24T00:00:00
db:	BID	id:	62598	date:	2013-09-23T00:00:00
db:	JVNDB	id:	JVNDB-2013-004284	date:	2013-09-25T00:00:00
db:	CNNVD	id:	CNNVD-201309-419	date:	2013-09-25T00:00:00
db:	NVD	id:	CVE-2013-3589	date:	2013-09-24T10:35:51.923