CVE-2021-29209

Published: May 25, 2021Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

A remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4); HPE SimpliVity 380 Gen9; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers; HPE SimpliVity 380 Gen10; HPE SimpliVity 2600; HPE SimpliVity 380 Gen10 G; HPE SimpliVity 325; HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.

Affected (2)

Products: Hp: Integrated Lights Out 4, Integrated Lights Out 5

2 products

Integrated Lights Out 4

Integrated Lights Out 5

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Hp Integrated Lights Out 4	Before 2.78

Running on/with	Platform Versions
Hp Simplivity 380 Gen9	All versions

Configuration B

1 vulnerable · 26 platform

Vulnerable Software	Affected Versions
Hp Integrated Lights Out 5	Before 2.44

Running on/with	Platform Versions
Hp Proliant Bl460c Gen10 Server Blade	All versions
Hp Proliant Dl120 Gen10 Server	All versions
Hp Proliant Dl160 Gen10 Server	All versions
Hp Proliant Dl180 Gen10 Server	All versions
Hp Proliant Dl20 Gen10 Server	All versions
Hp Proliant Dl325 Gen10 Plus Server	All versions
Hp Proliant Dl325 Gen10 Server	All versions
Hp Proliant Dl360 Gen10 Server	All versions
Hp Proliant Dl380 Gen10 Server	All versions
Hp Proliant Dl385 Gen10 Plus Server	All versions
Hp Proliant Dl385 Gen10 Server	All versions
Hp Proliant Dl560 Gen10 Server	All versions
Hp Proliant Dl580 Gen10 Server	All versions
Hp Proliant Ml110 Gen10 Server	All versions
Hp Proliant Ml30 Gen10 Server	All versions
Hp Proliant Ml350 Gen10 Server	All versions
Hp Proliant Xl170r Gen10 Server	All versions
Hp Proliant Xl190r Gen10 Server	All versions
Hp Proliant Xl230k Gen10 Server	All versions
Hp Proliant Xl270d Gen10 Server	All versions
Hp Proliant Xl450 Gen10 Server	All versions
Hp Simplivity 2600	All versions
Hp Simplivity 325	All versions
Hp Simplivity 380 Gen10	All versions
Hp Simplivity 380 Gen10 G	All versions
Hp Simplivity 380 Gen10 H	All versions

Related CWEs

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04134en_us

Source: security-alert@hpe.com

Vendor Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04134en_us

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.