Lucene search

[email protected]NVD:CVE-2023-23691

HistoryJan 20, 2023 - 8:15 a.m.

CVE-2023-23691

2023-01-2008:15:17

CWE-444

[email protected]

web.nvd.nist.gov

dell emc pv me5

client-side desync

vulnerability

unauthenticated attacker

xss

dos

exploit

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H

AI Score

7.9

Confidence

High

EPSS

0.001

Percentile

40.4%

JSON

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim’s browser to desynchronize its connection with the website, typically leading to XSS and DoS.

Affected configurations

Nvd

Node

dellpowervault_me5012_firmwareRange<me5.1.1.0.5

AND

dellpowervault_me5012Match-

Node

dellpowervault_me5024_firmwareRange<me5.1.1.0.5

AND

dellpowervault_me5024Match-

Node

dellpowervault_me5084_firmwareRange<me5.1.1.0.5

AND

dellpowervault_me5084Match-

VendorProductVersionCPE
dellpowervault_me5012_firmware*cpe:2.3:o:dell:powervault_me5012_firmware:*:*:*:*:*:*:*:*
dellpowervault_me5012-cpe:2.3:h:dell:powervault_me5012:-:*:*:*:*:*:*:*
dellpowervault_me5024_firmware*cpe:2.3:o:dell:powervault_me5024_firmware:*:*:*:*:*:*:*:*
dellpowervault_me5024-cpe:2.3:h:dell:powervault_me5024:-:*:*:*:*:*:*:*
dellpowervault_me5084_firmware*cpe:2.3:o:dell:powervault_me5084_firmware:*:*:*:*:*:*:*:*
dellpowervault_me5084-cpe:2.3:h:dell:powervault_me5084:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dell	powervault_me5012_firmware	*	cpe:2.3:o:dell:powervault_me5012_firmware::::::::
dell	powervault_me5012	-	cpe:2.3:h:dell:powervault_me5012:-:::::::*
dell	powervault_me5024_firmware	*	cpe:2.3:o:dell:powervault_me5024_firmware::::::::
dell	powervault_me5024	-	cpe:2.3:h:dell:powervault_me5024:-:::::::*
dell	powervault_me5084_firmware	*	cpe:2.3:o:dell:powervault_me5084_firmware::::::::
dell	powervault_me5084	-	cpe:2.3:h:dell:powervault_me5084:-:::::::*

References

www.dell.com/support/kbdoc/en-us/000207533/dsa-2023-018-dell-emc-powervault-me5-security-update-for-a-client-desync-attack-vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H

AI Score

7.9

Confidence

High

EPSS

0.001

Percentile

40.4%

JSON

Related for NVD:CVE-2023-23691

prion1 cvelist1 nessus1 cve1