Research & Development
$ #

CVE-2023-28083

Remote Stored Cross-Site Scripting

5.4 (Medium)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

HPE Integrated Lights-Out

iLO 6 before 1.20, iLO 5 before 2.78, iLO 4 before 2.82; Full and detailed list on the end of page

Jakub Brzozowski (redfr0g)

HPE Integrated Lights-Out (iLO) web management interface running on port 443 is affected by Stored DOM-based Cross-Site Scripting vulnerability in the "Group Virtual Media" component. The backend and frontend does not properly escape HTML tag in the "image_url_file" parameter which then is rendered in the DOM tree. This leads to stored HTML tag injection and execution of malicious Javascript code.

Exploitation requirements:

  • Attacker must have access to a user with at least "Virtual Media Privilege" enabled.

In order to reproduce the vulnerability please do the following:

  1. (ATTACKER) Log in to the iLO web management interface,
  2. (ATTACKER) Navigate to "iLo Federation" -> "Group Virtual Media",
  3. (ATTACKER) Paste the following payload to "Connect Virtual Floppy to 1 System Scripted Media URL"
    or "Connect CD/DVD-ROM to 1 System" field:
    http://example.com/xss?<img src=x onerror=prompt(document.cookie)>
  4. (ATTACKER) Click "Insert Media",
  5. (VICTIM) Log in to iLO web management interface,
  6. (VICTIM) Navigate to "iLo Federation" -> "Group Virtual Media" or "Virtual Media" -> "Virtual Media" tab.
  7. (VICTIM) XSS will trigger displaying a popup with user's session cookies.
  • 02-12-2022 - vulnerability reported to HPE Security,
  • 05-12-2022 - first response from HPE
  • 04-01-2023 - successful reproduction of the vulerability by HPE
  • 13-03-2023 - security advisory is published by HPE

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04456en_us
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-28083

List of vulnerable products:

  • HPE Integrated Lights-Out 4 (iLO 4) - Prior to v2.82
  • HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers - Prior to v2.78
  • HPE Integrated Lights-Out 6 (iLO 6) - Prior to v1.20
  • HPE ProLiant DL320 Gen11 Server - Prior to iLO 6 v1.20
  • HPE ProLiant DL325 Gen11 Server - Prior to iLO 6 v1.20
  • HPE ProLiant DL345 Gen11 Server - Prior to iLO 6 v1.20
  • HPE ProLiant DL360 Gen11 Server - Prior to iLO 6 v1.20
  • HPE ProLiant DL365 Gen11 Server - Prior to iLO 6 v1.20
  • HPE ProLiant DL380 Gen11 Server - Prior to iLO 6 v1.20
  • HPE ProLiant DL385 Gen11 Server - Prior to iLO 6 v1.20
  • HPE ProLiant ML350 Gen11 Server - Prior to iLO 6 v1.20
  • HPE ProLiant DX380 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DX385 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DX220n Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DX360 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DX385 Gen10 Plus v2 server - Prior to iLO 5 v2.78
  • HPE ProLiant DX325 Gen10 Plus v2 server - Prior to iLO 5 v2.78
  • HPE ProLiant DX4200 Gen10 server - Prior to iLO 5 v2.78
  • HPE ProLiant DX560 Gen10 server - Prior to iLO 5 v2.78
  • HPE ProLiant DX380 Gen10 server - Prior to iLO 5 v2.78
  • HPE ProLiant DX360 Gen10 server - Prior to iLO 5 v2.78
  • HPE ProLiant DX170r Gen10 server - Prior to iLO 5 v2.78
  • HPE ProLiant DX190r Gen10 server - Prior to iLO 5 v2.78
  • HPE ProLiant DL20 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant ML30 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant ML110 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant ML350 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL325 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DL360 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DL345 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DL365 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DL385 Gen10 Plus v2 server - Prior to iLO 5 v2.78
  • HPE ProLiant DL380 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DL385 Gen10 Plus server - Prior to iLO 5 v2.78
  • HPE ProLiant DL20 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL120 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL160 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL180 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL325 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL360 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL380 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL385 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL580 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant DL560 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant BL460c Gen10 Server Blade - Prior to iLO 5 v2.78
  • HPE Synergy 680 Gen9 Compute Module - Prior to iLO 4 v2.82
  • HPE Synergy 660 Gen9 Compute Module - Prior to iLO 4 v2.82
  • HPE Synergy 620 Gen9 Compute Module - Prior to iLO 4 v2.82
  • HPE Synergy 480 Gen9 Compute Module - Prior to iLO 4 v2.82
  • HPE StoreEasy 1860 Performance Storage - Prior to iLO 5 v2.78
  • HPE StoreEasy 1660 Performance Storage - Prior to iLO 5 v2.78
  • HPE StoreEasy 1660 Expanded Storage - Prior to iLO 5 v2.78
  • HPE StoreEasy 1560 Storage - Prior to iLO 5 v2.78
  • HPE StoreEasy 1660 Storage - Prior to iLO 5 v2.78
  • HPE StoreEasy 1460 Storage - Prior to iLO 5 v2.78
  • HPE Storage File Controller - Prior to iLO 5 v2.78
  • HPE Storage Performance File Controller - Prior to iLO 5 v2.78
  • HPE Synergy 480 Gen10 Plus Compute Module - Prior to iLO 5 v2.78
  • HPE Synergy 480 Gen10 Compute Module - Prior to iLO 5 v2.78
  • HPE Synergy 660 Gen10 Compute Module - Prior to iLO 5 v2.78
  • HPE Apollo r2200 Gen10 12 LFF Configure-to-order Chassis - Prior to iLO 5 v2.78
  • HPE Apollo r2800 Gen10 24 SFF Flexible Configure-to-order Chassis - Prior to iLO 5 v2.78
  • HPE Apollo r2600 Gen10 24 SFF Premium Configure-to-order Chassis - Prior to iLO 5 v2.78
  • HPE Apollo n2600 Gen10 Plus - Prior to iLO 5 v2.78
  • HPE Apollo 4200 Gen10 Server - Prior to iLO 5 v2.78
  • HPE Apollo n2800 Gen10 Plus - Prior to iLO 5 v2.78
  • HPE Apollo 4510 Gen10 System - Prior to iLO 5 v2.78
  • HPE Apollo 4200 Gen10 Plus System - Prior to iLO 5 v2.78
  • HPE Apollo 6500 Gen10 System - Prior to iLO 5 v2.78
  • HPE Apollo 6500 Gen10 Plus System - Prior to iLO 5 v2.78
  • HPE Edgeline e920d Server Blade - Prior to iLO 5 v2.78
  • HPE Edgeline e920t Server Blade - Prior to iLO 5 v2.78
  • HPE Edgeline e920 Server Blade - Prior to iLO 5 v2.78
  • HPE ProLiant e910t Server Blade - Prior to iLO 5 v2.78
  • HPE ProLiant e910 Server Blade - Prior to iLO 5 v2.78
  • HPE ProLiant XL220n Gen10 Plus Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL170r Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL230k Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL270d Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL290n Gen10 Plus Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL450 Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL190r Gen10 Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL675d Gen10 Plus Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL645d Gen10 Plus Server - Prior to iLO 5 v2.78
  • HPE ProLiant XL225n Gen10 Plus 1U Node - Prior to iLO 5 v2.78
  • HPE StoreEasy 1860 Storage - Prior to iLO 5 v2.78
  • HPE StoreEasy 3840 Gateway Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 3840 Gateway Storage Blade - Prior to iLO 4 v2.82
  • HPE StoreEasy 3830 Gateway Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 3830 Gateway Storage Blade - Prior to iLO 4 v2.82
  • HPE StoreEasy 1840 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1830 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1640 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1630 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1540 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1530 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1440 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1430 Storage - Prior to iLO 4 v2.82
  • HPE StoreVirtual 3000 File Controller - Prior to iLO 4 v2.82
  • HPE StoreEasy 3850 Gateway Single Node Upgrade - Prior to iLO 4 v2.82
  • HPE StoreEasy 3850 Gateway Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 3850 Gateway Storage Blade - Prior to iLO 4 v2.82
  • HPE StoreEasy 1850 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1650 Expanded Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1650 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1550 Storage - Prior to iLO 4 v2.82
  • HPE StoreEasy 1450 Storage - Prior to iLO 4 v2.82
  • HPE 3PAR StoreServ File Controller - Prior to iLO 4 v2.82
  • HPE 3PAR StoreServ File Controller v2 Storage - Prior to iLO 4 v2.82
  • HPE 3PAR StoreServ File Controller v3 System - Prior to iLO 4 v2.82
  • HPE Apollo 4200 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant WS460c Gen8 Graphics Server Blade - Prior to iLO 4 v2.82
  • HPE ProLiant WS460c Gen9 Graphics Server Blade - Prior to iLO 4 v2.82
  • HPE ProLiant MicroServer Gen8 - Prior to iLO 4 v2.82
  • HPE ProLiant ML110 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL170r Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL190r Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL220a Gen8 v2 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL230b Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL230a Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL250a Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL270d Gen9 Special Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL450 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL730f Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL740f Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant XL750f Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant SL210t Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant SL230s Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant SL250s Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant SL270s Gen8 SE Server - Prior to iLO 4 v2.82
  • HPE ProLiant SL270s Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant ML30 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant ML310e Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant ML310e Gen8 v2 Server - Prior to iLO 4 v2.82
  • HPE ProLiant ML350e Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant ML350e Gen8 v2 Server - Prior to iLO 4 v2.82
  • HPE ProLiant ML350p Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant ML350 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL20 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL60 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL80 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL120 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL160 Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL160 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL180 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL320e Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL320e Gen8 v2 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL360e Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL360p Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL360 Gen9 Server - Prior to iLO 4 v2.82
  • HPE Apollo r2000 Chassis - Prior to iLO 5 v2.78
  • HPE ProLiant DL380e Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL380p Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL380 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL385p Gen8 (AMD) - Prior to iLO 4 v2.82
  • HPE ProLiant DL560 Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL560 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL580 Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant DL580 Gen9 Server - Prior to iLO 4 v2.82
  • HPE ProLiant BL420c Gen8 Server - Prior to iLO 4 v2.82
  • HPE ProLiant BL460c Gen8 Server Blade - Prior to iLO 4 v2.82
  • HPE ProLiant BL460c Gen9 Server Blade - Prior to iLO 4 v2.82
  • HPE ProLiant BL465c Gen8 Server Blade - Prior to iLO 4 v2.82
  • HPE ProLiant BL660c Gen8 Server Blade - Prior to iLO 4 v2.82
  • HPE ProLiant BL660c Gen9 Server - Prior to iLO 4 v2.82