4 results (0.021 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Dell EMC Data Protection Advisor versions 19.6 and earlier, contains a Stored Cross Site Scripting, an attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. Dell EMC Data Protection Advisor versiones 19.6 y anteriores, contienen una vulnerabilidad de tipo Cross Site Scripting Almacenado, un atacante podría explotar esta vulnerabilidad, conllevando a un almacenamiento de códigos HTML o JavaScript maliciosos en un almacén de datos de aplicaciones confiables. Cuando un usuario víctima accede al almacén de datos mediante su navegador, el código malicioso es ejecutado por el navegador web en el contexto de la aplicación web vulnerable. • https://www.dell.com/support/kbdoc/en-us/000201824/dsa-2022-107-dell-emc-data-protection-advisor-dpa-security-update-for-stored-cross-site-scripting-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.1EPSS: 0%CPEs: 15EXPL: 0

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system. Dell EMC Data Protection Advisor versiones 6.3, 6.4, 6.5, 18.2 anteriores al parche 83 y las versiones 19.1 anteriores al parche 71, contiene una vulnerabilidad de inyección de plantilla del lado del servidor en la API REST. Un usuario malicioso autenticado remoto con privilegios administrativos puede explotar esta vulnerabilidad para inyectar scripts de generación de reportes maliciosos en el servidor. • https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.1EPSS: 0%CPEs: 15EXPL: 0

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system. Dell EMC Data Protection Advisor versiones 6.3, 6.4, 6.5, 18.2 anteriores al parche 83 y las versiones 19.1 anteriores al parche 71 contiene una vulnerabilidad de falta de autorización del servidor en la API REST. Un usuario malicioso autenticado remoto con privilegios administrativos puede explotar esta vulnerabilidad para alterar la lista permitida de comandos de Sistema Operativo de la aplicación. • https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities • CWE-862: Missing Authorization •

CVSS: 8.1EPSS: 0%CPEs: 6EXPL: 0

Dell EMC Data Protection Advisor, versions 6.2, 6,3, 6.4, 6.5 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 contain a XML External Entity (XXE) Injection vulnerability in the REST API. An authenticated remote malicious user could potentially exploit this vulnerability to read certain system files in the server or cause denial of service by supplying specially crafted Document Type Definitions (DTDs) in an XML request. Dell EMC Data Protection Advisor, en versiones 6.2, 6,3, 6.4 y 6.5 y Dell EMC Integrated Data Protection Appliance (IDPA) en versiones 2.0 y 2.1 contienen una vulnerabilidad de inyección XEE (XML External Entity) en la API REST. Un usuario autenticado remoto malicioso podría explotar esta vulnerabilidad para leer ciertos archivos del sistema en el servidor o provocar una denegación de servicio (DoS) proporcionando DTD (Document Type Definition) especialmente manipulados en una petición XML. • http://seclists.org/fulldisclosure/2018/Aug/5 http://www.securityfocus.com/bid/105130 http://www.securitytracker.com/id/1041417 • CWE-611: Improper Restriction of XML External Entity Reference •