Vulnerability CVE-2018-1202

Vulnerability Name:

CVE-2018-1202 (CCN-139108)

Assigned:

2017-12-06

Published:

2018-02-14

Updated:

2018-04-19

Summary:

Dell EMC Isilon versions between 8.1.0.0 - 8.1.0.1, 8.0.1.0 - 8.0.1.2, and 8.0.0.0 - 8.0.0.6, and version 7.1.1.11 is affected by a cross-site scripting vulnerability in the NDMP Page within the OneFS web administration interface. A malicious administrator may potentially inject arbitrary HTML or JavaScript code in the user's browser session in the context of the OneFS website.

CVSS v3 Severity:

4.8 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2018-1202

Source: CCN
Type: Full-Disclosure Mailing List, Wed, 14 Feb 2018 16:22:53 -0300
[CORE-2017-0009] - Dell EMC Isilon OneFS Multiple Vulnerabilities

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20180319 DSA-2018-018: Dell EMC Isilon OneFS Multiple Vulnerabilities

Source: BID
Type: Third Party Advisory, VDB Entry
103033

Source: CCN
Type: BID-103033
Dell EMC Isilon OneFS Multiple Security Vulnerabilities

Source: XF
Type: UNKNOWN
emc-isilon-cve20181202-xss(139108)

Source: CCN
Type: Packet Storm Security [02-14-2018]
Dell EMC Isilon OneFS XSS / Code Execution / CSRF

Source: CCN
Type: EMC Web site
Isilon OneFS

Source: MISC
Type: Exploit, Third Party Advisory
https://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [02-14-2018]

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
44039

Vulnerable Configuration:

Configuration 1:

cpe:/a:dell:emc_isilon:7.1.1.11:*:*:*:*:*:*:*

OR cpe:/a:dell:emc_isilon:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.0.0.6)

OR cpe:/a:dell:emc_isilon:*:*:*:*:*:*:*:* (Version >= 8.0.1.0 and <= 8.0.1.2)

OR cpe:/a:dell:emc_isilon:*:*:*:*:*:*:*:* (Version >= 8.1.0.0 and <= 8.1.0.1)

Configuration CCN 1:

cpe:/o:emc:isilon_onefs:7.1.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK