Dell

Dell EMC Repository Manager version 3.4.0 contains a plain-text password storage vulnerability

CVE-2022-26856 7.8 - High - April 21, 2022

Dell EMC Repository Manager version 3.4.0 contains a plain-text password storage vulnerability. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application's database with privileges of the compromised account.

Insufficiently Protected Credentials

Dell EMC AppSync versions from 3.9 to 4.3 contain a path traversal vulnerability in AppSync server

CVE-2022-24424 7.5 - High - April 21, 2022

Dell EMC AppSync versions from 3.9 to 4.3 contain a path traversal vulnerability in AppSync server. A remote unauthenticated attacker may potentially exploit this vulnerability to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application.

Directory traversal

Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability

CVE-2022-23163 5.5 - Medium - April 12, 2022

Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.

Exposure of Resource to Wrong Sphere

Dell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability

CVE-2022-24411 7.8 - High - April 12, 2022

Dell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE could potentially exploit this vulnerability, leading to elevation of privilege. This could potentially allow users to circumvent PowerScale Compliance Mode guarantees.

Exposure of Resource to Wrong Sphere

Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability

CVE-2022-24412 7.5 - High - April 12, 2022

Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to denial-of-service.

Dell PowerScale OneFS, versions 8.2.2-9.3.x, contain a time-of-check-to-time-of-use vulnerability

CVE-2022-24413 3.6 - Low - April 12, 2022

Dell PowerScale OneFS, versions 8.2.2-9.3.x, contain a time-of-check-to-time-of-use vulnerability. A local user with access to the filesystem could potentially exploit this vulnerability, leading to data loss.

TOCTTOU

Dell PowerScale OneFS, 8.2.x-9.3.x, contains a Improper Certificate Validation

CVE-2022-22549 8.1 - High - April 12, 2022

Dell PowerScale OneFS, 8.2.x-9.3.x, contains a Improper Certificate Validation. A unauthenticated remote attacker could potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.

Improper Certificate Validation

Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability

CVE-2022-22550 6.7 - Medium - April 12, 2022

Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over.

Insufficiently Protected Credentials

Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm

CVE-2022-22559 7.5 - High - April 12, 2022

Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker could exploit this vulnerability, leading to the potential for information disclosure.

Use of a Broken or Risky Cryptographic Algorithm

Dell EMC PowerScale OneFS 8.1.x - 9.1.x contain hard coded credentials

CVE-2022-22560 5.5 - Medium - April 12, 2022

Dell EMC PowerScale OneFS 8.1.x - 9.1.x contain hard coded credentials. This allows a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker can exploit this vulnerability to take the switch offline.

Use of Hard-coded Credentials

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts

CVE-2022-22561 9.8 - Critical - April 12, 2022

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts.

Improper Restriction of Excessive Authentication Attempts

Dell PowerScale OneFS, versions 8.2.0-9.3.0, contain a improper handling of missing values exploit

CVE-2022-22562 7.5 - High - April 12, 2022

Dell PowerScale OneFS, versions 8.2.0-9.3.0, contain a improper handling of missing values exploit. An unauthenticated network attacker could potentially exploit this denial-of-service vulnerability.

Dell PowerScale OneFS, versions 9.0.0-9.3.0, contain an improper authorization of index containing sensitive information

CVE-2022-22565 3.8 - Low - April 12, 2022

Dell PowerScale OneFS, versions 9.0.0-9.3.0, contain an improper authorization of index containing sensitive information. An authenticated and privileged user could potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.

Dell PowerScale OneFS, 8.2.2 - 9.3.0.x, contain a missing release of memory after effective lifetime vulnerability

CVE-2022-23159 6.5 - Medium - April 12, 2022

Dell PowerScale OneFS, 8.2.2 - 9.3.0.x, contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_AUTH_PROVIDERS privileges could exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity.

Memory Leak

Dell PowerScale OneFS, versions 8.2.0-9.3.0, contains an Improper Handling of Insufficient Permissions vulnerability

CVE-2022-23160 4.3 - Medium - April 12, 2022

Dell PowerScale OneFS, versions 8.2.0-9.3.0, contains an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user could potentially exploit this vulnerability, leading to gaining write permissions on read-only files.

Improper Privilege Management

Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect

CVE-2022-23161 7.5 - High - April 12, 2022

Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service.

Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd

CVE-2022-22563 4.4 - Medium - April 08, 2022

Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes.

Dell PowerScale OneFS, versions 8.2.x, 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, and 9.3.0.x, contain an improper preservation of privileges

CVE-2022-24428 8.8 - High - April 08, 2022

Dell PowerScale OneFS, versions 8.2.x, 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, and 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure.

Improper Preservation of Permissions

Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability

CVE-2022-26851 9.1 - Critical - April 08, 2022

Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to data loss.

Use of Insufficiently Random Values

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator

CVE-2022-26852 9.8 - Critical - April 08, 2022

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise.

PRNG

Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms

CVE-2022-26854 9.8 - Critical - April 08, 2022

Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access

Use of a Broken or Risky Cryptographic Algorithm

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability

CVE-2022-26855 5.5 - Medium - April 08, 2022

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service.

Incorrect Default Permissions

Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability

CVE-2022-23155 7.2 - High - April 01, 2022

Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unrestricted file upload vulnerability. A malicious user with admin privileges can exploit this vulnerability in order to execute arbitrary code on the system.

Unrestricted File Upload

Dell Command | Update

CVE-2022-24426 7.8 - High - April 01, 2022

Dell Command | Update, Dell Update, and Alienware Update version 4.4.0 contains a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation.

DLL preloading

Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability

CVE-2022-23156 6.7 - Medium - April 01, 2022

Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability. A malicious user could potentially exploit this vulnerability by providing invalid input in order to obtain a connection to WMS server.

authentification

Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability

CVE-2022-23157 4.4 - Medium - April 01, 2022

Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A authenticated malicious user could potentially exploit this vulnerability in order to view sensitive information from the WMS Server.

Information Disclosure

Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability

CVE-2022-23158 4.4 - Medium - April 01, 2022

Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A local authenticated user with standard privilege could potentially exploit this vulnerability and provide incorrect port information and get connected to valid WMS server

Information Disclosure

Dell EMC Enterprise Storage Analytics for vRealize Operations, versions 4.0.1 to 6.2.1, contain a Plain-text password storage vulnerability

CVE-2021-43590 6 - Medium - March 04, 2022

Dell EMC Enterprise Storage Analytics for vRealize Operations, versions 4.0.1 to 6.2.1, contain a Plain-text password storage vulnerability. A local high privileged malicious user may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

Cleartext Storage of Sensitive Information

Dell BSAFE SSL-J contains remediation for a covert timing channel vulnerability

CVE-2022-24409 9.8 - Critical - February 23, 2022

Dell BSAFE SSL-J contains remediation for a covert timing channel vulnerability that may be exploited by malicious users to compromise the affected system. Only customers with active BSAFE maintenance contracts can receive details about this vulnerability. Public disclosure of the vulnerability details will be shared at a later date.

Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing

CVE-2021-36349 4.3 - Medium - January 24, 2022

Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing. A remote malicious user could potentially exploit this vulnerability, allowing port scanning of external hosts.

XSPA

Dell EMC Data Protection Central version 19.5 contains an Improper Input Validation Vulnerability

CVE-2021-43588 7.5 - High - January 24, 2022

Dell EMC Data Protection Central version 19.5 contains an Improper Input Validation Vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.

Improper Input Validation

Dell EMC Unity

CVE-2021-43589 6.7 - Medium - January 24, 2022

Dell EMC Unity, Dell EMC UnityVSA and Dell EMC Unity XT versions prior to 5.1.2.0.5.007 contain an operating system (OS) command injection Vulnerability. A locally authenticated user with high privileges may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the Unity underlying OS, with the privileges of the vulnerable application. Exploitation may lead to an elevation of privilege.

Shell injection

Dell EMC System Update, version 1.9.2 and prior, contain an Unprotected Storage of Credentials vulnerability

CVE-2022-22554 5.5 - Medium - January 24, 2022

Dell EMC System Update, version 1.9.2 and prior, contain an Unprotected Storage of Credentials vulnerability. A local attacker with user privleges could potentially exploit this vulnerability leading to the disclosure of user passwords.

Insufficiently Protected Credentials

Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability

CVE-2021-36338 8 - High - January 21, 2022

Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to.

Incorrect Resource Transfer Between Spheres

The Dell EMC Virtual Appliances before 9.2.2.2 contain undocumented user accounts

CVE-2021-36339 7.8 - High - January 21, 2022

The Dell EMC Virtual Appliances before 9.2.2.2 contain undocumented user accounts. A local malicious user may potentially exploit this vulnerability to get privileged access to the virtual appliance.

Improper Privilege Management

DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings

CVE-2022-22551 8.8 - High - January 21, 2022

DELL EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker could potentially exploit this vulnerability, and hijack the victim session.

Session Fixation

Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync

CVE-2022-22552 6.1 - Medium - January 21, 2022

Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker could potentially exploit this vulnerability to trick the victim into executing state changing operations.

Clickjacking

Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability

CVE-2022-22553 9.8 - Critical - January 21, 2022

Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that can be exploited from UI and CLI. An adjacent unauthenticated attacker could potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users.

Improper Restriction of Excessive Authentication Attempts

Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller

CVE-2021-36317 6.7 - Medium - December 21, 2021

Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

Unprotected Storage of Credentials

Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI

CVE-2021-36316 7.2 - High - December 21, 2021

Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges could potentially exploit this vulnerability, leading to the disclosure of the AUI info and performing some unauthorized operation on the AUI.

Improper Privilege Management

Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability

CVE-2021-36318 6.7 - Medium - December 21, 2021

Dell EMC Avamar versions 18.2,19.1,19.2,19.3,19.4 contain a plain-text password storage vulnerability. A high privileged user could potentially exploit this vulnerability, leading to a complete outage.

Insufficiently Protected Credentials

Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authentication bypass by primary weakness in one of the authentication factors

CVE-2021-36350 7.5 - High - December 21, 2021

Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authentication bypass by primary weakness in one of the authentication factors. A remote unauthenticated attacker may potentially exploit this vulnerability and bypass one of the factors of authentication.

authentification

Dell PowerPath Management Appliance, versions 3.2, 3.1, 3.0 P01, 3.0, and 2.6, use hard-coded cryptographic key

CVE-2021-43587 6.7 - Medium - December 21, 2021

Dell PowerPath Management Appliance, versions 3.2, 3.1, 3.0 P01, 3.0, and 2.6, use hard-coded cryptographic key. A local high-privileged malicious user may potentially exploit this vulnerability to gain access to secrets and elevate to gain higher privileges.

Use of Hard-coded Cryptographic Key

Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability

CVE-2021-36336 9.8 - Critical - December 21, 2021

Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system.

Marshaling, Unmarshaling

Dell Wyse Management Suite version 3.3.1 and prior support insecure Transport Security Protocols TLS 1.0 and TLS 1.1

CVE-2021-36337 7.4 - High - December 21, 2021

Dell Wyse Management Suite version 3.3.1 and prior support insecure Transport Security Protocols TLS 1.0 and TLS 1.1 which are susceptible to Man-In-The-Middle attacks thereby compromising Confidentiality and Integrity of data.

Inadequate Encryption Strength

Dell Wyse Device Agent version 14.5.4.1 and below contain a sensitive data exposure vulnerability

CVE-2021-36341 5.5 - Medium - December 21, 2021

Dell Wyse Device Agent version 14.5.4.1 and below contain a sensitive data exposure vulnerability. A local authenticated user with low privileges could potentially exploit this vulnerability in order to access sensitive information.

Information Disclosure

Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability

CVE-2021-36329 6.5 - Medium - November 30, 2021

Dell EMC Streaming Data Platform versions before 1.3 contain an Indirect Object Reference Vulnerability. A remote malicious user may potentially exploit this vulnerability to gain sensitive information.

Insecure Direct Object Reference / IDOR

Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability

CVE-2021-36330 9.8 - Critical - November 30, 2021

Dell EMC Streaming Data Platform versions before 1.3 contain an Insufficient Session Expiration Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to reuse old session artifacts to impersonate a legitimate user.

Insufficient Session Expiration

Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI)

CVE-2021-36326 6.5 - Medium - November 30, 2021

Dell EMC Streaming Data Platform, versions prior to 1.3 contain an SSL Strip Vulnerability in the User Interface (UI). A remote unauthenticated attacker could potentially exploit this vulnerability, leading to a downgrade in the communications between the client and server into an unencrypted format.

Algorithm Downgrade

Dell EMC Streaming Data Platform versions before 1.3 contain a Server Side Request Forgery Vulnerability

CVE-2021-36327 5.3 - Medium - November 30, 2021

Dell EMC Streaming Data Platform versions before 1.3 contain a Server Side Request Forgery Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to perform port scanning of internal networks and make HTTP requests to an arbitrary domain of the attacker's choice.

XSPA

Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability

CVE-2021-36328 8.8 - High - November 30, 2021

Dell EMC Streaming Data Platform versions before 1.3 contain a SQL Injection Vulnerability. A remote malicious user may potentially exploit this vulnerability to execute SQL commands to perform unauthorized actions and retrieve sensitive information from the database.

SQL Injection

iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability

CVE-2021-36300 8.2 - High - November 23, 2021

iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver or cause information disclosure.

SQL Injection

Dell EMC CloudLink 7.1 and all prior versions contain an OS command injection Vulnerability

CVE-2021-36313 7.2 - High - November 23, 2021

Dell EMC CloudLink 7.1 and all prior versions contain an OS command injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. This vulnerability is considered critical as it may be leveraged to completely compromise the vulnerable application as well as the underlying operating system. Dell recommends customers to upgrade at the earliest opportunity.

Shell injection

Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability

CVE-2021-36312 9.1 - Critical - November 23, 2021

Dell EMC CloudLink 7.1 and all prior versions contain a Hard-coded Password Vulnerability. A remote high privileged attacker, with the knowledge of the hard-coded credentials, may potentially exploit this vulnerability to gain unauthorized access to the system.

Use of Hard-coded Password

Dell EMC CloudLink 7.1 and all prior versions contain an Improper Input Validation Vulnerability

CVE-2021-36335 8.8 - High - November 23, 2021

Dell EMC CloudLink 7.1 and all prior versions contain an Improper Input Validation Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, leading to execution of arbitrary files on the server

Improper Input Validation

Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability

CVE-2021-36334 6.8 - Medium - November 23, 2021

Dell EMC CloudLink 7.1 and all prior versions contain a CSV formula Injection Vulnerability. A remote high privileged attacker, may potentially exploit this vulnerability, leading to arbitrary code execution on end user machine

CSV Injection

Dell EMC CloudLink 7.1 and all prior versions contain a Buffer Overflow Vulnerability

CVE-2021-36333 5.5 - Medium - November 23, 2021

Dell EMC CloudLink 7.1 and all prior versions contain a Buffer Overflow Vulnerability. A local low privileged attacker, may potentially exploit this vulnerability, leading to an application crash.

Classic Buffer Overflow

Dell EMC CloudLink 7.1 and all prior versions contain an Arbitrary File Creation Vulnerability

CVE-2021-36314 9.8 - Critical - November 23, 2021

Dell EMC CloudLink 7.1 and all prior versions contain an Arbitrary File Creation Vulnerability. A remote unauthenticated attacker, may potentially exploit this vulnerability, leading to the execution of arbitrary files on the end user system.

Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability

CVE-2021-36311 7.8 - High - November 23, 2021

Dell EMC Networker versions prior to 19.5 contain an Improper Authorization vulnerability. Any local malicious user with networker user privileges may exploit this vulnerability to upload malicious file to unauthorized locations and execute it.

Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability

CVE-2021-36299 8.1 - High - November 23, 2021

Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application.

SQL Injection

Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability

CVE-2021-36332 5.4 - Medium - November 23, 2021

Dell EMC CloudLink 7.1 and all prior versions contain a HTML and Javascript Injection Vulnerability. A remote low privileged attacker, may potentially exploit this vulnerability, directing end user to arbitrary and potentially malicious websites.

Open Redirect

Dell PowerScale OneFS version 8.1.2 contains a sensitive information exposure vulnerability

CVE-2021-21561 5.5 - Medium - November 23, 2021

Dell PowerScale OneFS version 8.1.2 contains a sensitive information exposure vulnerability. This would allow a malicious user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE privileges to gain access to sensitive information in the log files.

Insertion of Sensitive Information into Log File

Dell iDRAC 9 prior to version 4.40.40.00 and iDRAC 8 prior to version 2.80.80.80 contain a Stack Buffer Overflow in Racadm

CVE-2021-36301 7.2 - High - November 23, 2021

Dell iDRAC 9 prior to version 4.40.40.00 and iDRAC 8 prior to version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. An authenticated remote attacker may potentially exploit this vulnerability to control process execution and gain access to the underlying operating system.

Memory Corruption

Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains an authentication bypass vulnerability

CVE-2021-36306 9.8 - Critical - November 20, 2021

Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system.

authentification

Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains a privilege escalation vulnerability

CVE-2021-36307 8.8 - High - November 20, 2021

Networking OS10, versions prior to October 2021 with RESTCONF API enabled, contains a privilege escalation vulnerability. A malicious low privileged user with specific access to the API could potentially exploit this vulnerability to gain admin privileges on the affected system.

Improper Privilege Management

Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability

CVE-2021-36308 9.8 - Critical - November 20, 2021

Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to gain access and perform actions on the affected system.

authentification

Dell Networking OS10

CVE-2021-36310 4.9 - Medium - November 20, 2021

Dell Networking OS10, versions 10.4.3.x, 10.5.0.x, 10.5.1.x & 10.5.2.x, contain an uncontrolled resource consumption flaw in its API service. A high-privileged API user may potentially exploit this vulnerability, leading to a denial of service.

Resource Exhaustion

Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain an information exposure vulnerability

CVE-2021-36319 3.3 - Low - November 20, 2021

Dell Networking OS10 versions 10.4.3.x, 10.5.0.x and 10.5.1.x contain an information exposure vulnerability. A low privileged authenticated malicious user can gain access to SNMP authentication failure messages.

Exposure of Resource to Wrong Sphere

Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information disclosure vulnerability

CVE-2021-36340 5.5 - Medium - November 20, 2021

Dell EMC SCG 5.00.00.10 and earlier, contain a sensitive information disclosure vulnerability. A local malicious user may exploit this vulnerability to read sensitive information and use it.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling

CVE-2021-36305 6.5 - Medium - November 12, 2021

Dell PowerScale OneFS contains an Unsynchronized Access to Shared Data in a Multithreaded Context in SMB CA handling. An authenticated user of SMB on a cluster with CA could potentially exploit this vulnerability, leading to a denial of service over SMB.

AuthZ

Dell EMC PowerScale OneFS versions 9.1.0, 9.2.0.x, 9.2.1.x contain an Exposure of Information through Directory Listing vulnerability

CVE-2021-21528 7.5 - High - November 12, 2021

Dell EMC PowerScale OneFS versions 9.1.0, 9.2.0.x, 9.2.1.x contain an Exposure of Information through Directory Listing vulnerability. This vulnerability is triggered when upgrading from a previous versions.

Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensitive information disclosure vulnerability

CVE-2021-36309 6.5 - Medium - October 01, 2021

Dell Enterprise SONiC OS, versions 3.3.0 and earlier, contains a sensitive information disclosure vulnerability. An authenticated malicious user with access to the system may use the TACACS\Radius credentials stored to read sensitive information and use it in further attacks.

Information Disclosure

SupportAssist Client version 3.8 and 3.9 contains an Untrusted search path vulnerability

CVE-2021-36297 7.8 - High - September 28, 2021

SupportAssist Client version 3.8 and 3.9 contains an Untrusted search path vulnerability that allows attackers to load an arbitrary .dll file via .dll planting/hijacking, only by a separate administrative action that is not a default part of the SOSInstallerTool.exe installation for executing arbitrary dll's,

Untrusted Path

Dell NetWorker, versions 18.x and 19.x contain a Path traversal vulnerability

CVE-2021-21569 4.9 - Medium - September 28, 2021

Dell NetWorker, versions 18.x and 19.x contain a Path traversal vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and gain access to unauthorized information.

Directory traversal

Dell NetWorker, versions 18.x and 19.x contain an Information disclosure vulnerability

CVE-2021-21570 4.9 - Medium - September 28, 2021

Dell NetWorker, versions 18.x and 19.x contain an Information disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and gain access to unauthorized information.

Shell injection

Dell SupportAssist Client Consumer versions 3.9.13.0 and any versions prior to 3.9.13.0 contain an arbitrary file deletion vulnerability

CVE-2021-36286 7.1 - High - September 28, 2021

Dell SupportAssist Client Consumer versions 3.9.13.0 and any versions prior to 3.9.13.0 contain an arbitrary file deletion vulnerability that can be exploited by using the Windows feature of NTFS called Symbolic links. Symbolic links can be created by any(non-privileged) user under some object directories, but by themselves are not sufficient to successfully escalate privileges. However, combining them with a different object, such as the NTFS junction point allows for the exploitation. Support assist clean files functionality do not distinguish junction points from the physical folder and proceeds to clean the target of the junction that allows nonprivileged users to create junction points and delete arbitrary files on the system which can be accessed only by the admin.

Directory traversal

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition

CVE-2021-21592 6.5 - Medium - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition. A remote low privileged user could potentially exploit this vulnerability, leading to unauthorized information disclosure.

Improper Handling of Exceptional Conditions

Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability

CVE-2021-21594 5.3 - Medium - August 16, 2021

Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. It can lead to potential disclosure of sensitive data. Dell recommends upgrading at your earliest opportunity.

Use of GET Request Method With Sensitive Query Strings

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command

CVE-2021-21595 6.7 - Medium - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command. This vulnerability could allow the compadmin user to elevate privileges. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update/upgrade at the earliest opportunity.

Command Injection

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability

CVE-2021-21599 6.7 - Medium - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. This may allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to escalate privileges and escape the compliance guarantees. This only impacts Smartlock WORM compliance mode clusters as a critical vulnerability and Dell recommends to update/upgrade at the earliest opportunity.

Shell injection

Dell EMC PowerScale OneFS versions 8.2.x, 9.1.0.x, and 9.1.1.1 contain a sensitive information exposure vulnerability in log files

CVE-2021-36278 5.5 - Medium - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x, 9.1.0.x, and 9.1.1.1 contain a sensitive information exposure vulnerability in log files. A local malicious user with ISI_PRIV_LOGIN_SSH, ISI_PRIV_LOGIN_CONSOLE, or ISI_PRIV_SYS_SUPPORT privileges may exploit this vulnerability to access sensitive information. If any third-party consumes those logs, the same sensitive information is available to those systems as well.

Insertion of Sensitive Information into Log File

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability

CVE-2021-36280 5.5 - Medium - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This could allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster.

Incorrect Permission Assignment for Critical Resource

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability

CVE-2021-36281 8.8 - High - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment vulnerability. A low privileged authenticated user can potentially exploit this vulnerability to escalate privileges.

Incorrect Permission Assignment for Critical Resource

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability

CVE-2021-36282 3.3 - Low - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This can potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions.

Use of Uninitialized Resource

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability

CVE-2021-21568 4.3 - Medium - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an insufficient logging vulnerability. An authenticated user with ISI_PRIV_LOGIN_PAPI could make un-audited and un-trackable configuration changes to settings that their roles have privileges to change.

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability

CVE-2021-36279 7.8 - High - August 16, 2021

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x contain an incorrect permission assignment for critical resource vulnerability. This could allow a user with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE to access privileged information about the cluster.

Incorrect Permission Assignment for Critical Resource

Dell PowerScale OneFS 9.1.0.x contains an improper privilege management vulnerability

CVE-2021-21567 7.8 - High - August 10, 2021

Dell PowerScale OneFS 9.1.0.x contains an improper privilege management vulnerability. It may allow an authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE to elevate privilege.

Improper Privilege Management

Dell EMC Data Protection Search

CVE-2021-21601 7.8 - High - August 10, 2021

Dell EMC Data Protection Search, 19.4 and prior, and IDPA, 2.6.1 and prior, contain an Information Exposure in Log File Vulnerability in CIS. A local low privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with the privileges of the compromised account.

Insertion of Sensitive Information into Log File

Dell EMC NetWorker, 19.4 or older, contain an uncontrolled resource consumption flaw in its API service

CVE-2021-21600 6.5 - Medium - August 10, 2021

Dell EMC NetWorker, 19.4 or older, contain an uncontrolled resource consumption flaw in its API service. An authorized API user could potentially exploit this vulnerability via the web and desktop user interfaces, leading to denial of service in the manageability path.

Missing Release of Resource after Effective Lifetime

Dell OpenManage Enterprise versions prior to 3.6.1 contain an OS command injection vulnerability in RACADM and IPMI tools

CVE-2021-21585 7.2 - High - August 09, 2021

Dell OpenManage Enterprise versions prior to 3.6.1 contain an OS command injection vulnerability in RACADM and IPMI tools. A remote authenticated malicious user with high privileges may potentially exploit this vulnerability to execute arbitrary OS commands.

Shell injection

Dell OpenManage Enterprise versions 3.4 through 3.6.1 and Dell OpenManage Enterprise Modular versions 1.20.00 through 1.30.00

CVE-2021-21596 8.8 - High - August 09, 2021

Dell OpenManage Enterprise versions 3.4 through 3.6.1 and Dell OpenManage Enterprise Modular versions 1.20.00 through 1.30.00, contain a remote code execution vulnerability. A malicious attacker with access to the immediate subnet may potentially exploit this vulnerability leading to information disclosure and a possible elevation of privileges.

Information Disclosure

Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability

CVE-2021-21584 6.5 - Medium - August 09, 2021

Dell OpenManage Enterprise version 3.5 and OpenManage Enterprise-Modular version 1.30.00 contain an information disclosure vulnerability. An authenticated low privileged attacker may potentially exploit this vulnerability leading to disclosure of the OIDC server credentials.

Information Disclosure

Dell Command Update, Dell Update, and Alienware Update versions prior to 4.3 contains a Improper Certificate Verification vulnerability

CVE-2021-36277 7.8 - High - August 09, 2021

Dell Command Update, Dell Update, and Alienware Update versions prior to 4.3 contains a Improper Certificate Verification vulnerability. A local authenticated malicious user could exploit this vulnerability by modifying local configuration files in order to execute arbitrary code on the system.

Improper Verification of Cryptographic Signature

Dell OpenManage Enterprise versions prior to 3.6.1 contain an improper authentication vulnerability

CVE-2021-21564 9.8 - Critical - August 09, 2021

Dell OpenManage Enterprise versions prior to 3.6.1 contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to hijack an elevated session or perform unauthorized actions by sending malformed data.

authentification

Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability

CVE-2021-36276 7.8 - High - August 09, 2021

Dell DBUtilDrv2.sys driver (versions 2.5 and 2.6) contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability

CVE-2021-21578 6.1 - Medium - August 03, 2021

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links.

Open Redirect

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability

CVE-2021-21579 6.1 - Medium - August 03, 2021

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links.

Open Redirect

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability

CVE-2021-21576 6.1 - Medium - August 03, 2021

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victims browser by tricking a victim in to following a specially crafted link.

XSS

Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a cross-site scripting vulnerability

CVE-2021-21581 6.1 - Medium - August 03, 2021

Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victims browser by tricking a victim in to following a specially crafted link.

XSS

Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application

CVE-2021-21580 4.3 - Medium - August 03, 2021

Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate.

Injection