CVE-2023-44286

Name

DOM-based Cross-Site Scripting

CVSS score

8.8 (High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Product name

Dell PowerProtect DD

Confirmed exploitable versions

prior to: 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110

Researcher

Jakub Brzozowski (redfr0g), Franciszek Kalinowski, Stanisław Koza

Description

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote, unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code into a victim user's DOM environment in the browser. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

Proof-of-concept

PoC: TBA

Timeline

05-10-2023 - vulnerability reported to vendor
10-01-2024 - public security advisory released

References

https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44286