The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Dell EMC OpenManage

computer vulnerability alert CVE-2019-3722 CVE-2019-3723

Dell EMC OpenManage Server Administrator: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Dell EMC OpenManage Server Administrator.
Impacted products: OpenManage.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/06/2019.
Identifiers: CVE-2019-3722, CVE-2019-3723, DSA-2019-074, VIGILANCE-VUL-29486.

Description of the vulnerability

An attacker can use several vulnerabilities of Dell EMC OpenManage Server Administrator.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-15767

Dell OpenManage Network Manager: privilege escalation via Synergy Account

Synthesis of the vulnerability

An attacker can bypass restrictions via Synergy Account of Dell OpenManage Network Manager, in order to escalate his privileges.
Impacted products: OpenManage.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 06/11/2018.
Identifiers: CVE-2018-15767, KL-001-2018-009, VIGILANCE-VUL-27697.

Description of the vulnerability

An attacker can bypass restrictions via Synergy Account of Dell OpenManage Network Manager, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-15768

Dell OpenManage Network Manager: privilege escalation via MySQL File Write

Synthesis of the vulnerability

An attacker can bypass restrictions via MySQL File Write of Dell OpenManage Network Manager, in order to escalate his privileges.
Impacted products: OpenManage.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 06/11/2018.
Identifiers: CVE-2018-15768, KL-001-2018-009, VIGILANCE-VUL-27696.

Description of the vulnerability

An attacker can bypass restrictions via MySQL File Write of Dell OpenManage Network Manager, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 19882

Dell OpenManage: external XML entity injection via Server Administrator

Synthesis of the vulnerability

An attacker can transmit malicious XML data via Server Administrator to Dell OpenManage, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: OpenManage.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 14/06/2016.
Identifiers: VIGILANCE-VUL-19882.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Dell OpenManage parser allows external entities.

An attacker can therefore transmit malicious XML data via Server Administrator to Dell OpenManage, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-4004

Dell OpenManage Server Administrator: directory traversal

Synthesis of the vulnerability

An authenticated attacker can traverse directories of Dell OpenManage Server Administrator, in order to read a file outside the service root path.
Impacted products: OpenManage.
Severity: 1/4.
Consequences: data reading.
Provenance: privileged account.
Creation date: 13/04/2016.
Identifiers: CVE-2016-4004, VIGILANCE-VUL-19363.

Description of the vulnerability

The Dell OpenManage Server Administrator product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An authenticated attacker can therefore traverse directories of Dell OpenManage Server Administrator, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2013-3595

Dell PowerConnect: denial of service via OpenManage

Synthesis of the vulnerability

An attacker can use OpenManage of Dell PowerConnect, in order to trigger a denial of service.
Impacted products: OpenManage.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 23/01/2014.
Identifiers: BID-65081, CVE-2013-3595, VIGILANCE-VUL-14126, VU#122582.

Description of the vulnerability

The Dell OpenManage application is used to administer PowerConnect switches.

An attacker can use OpenManage of Dell PowerConnect, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 13269

Dell hardware: multiple vulnerabilities of IPMI via iDRAC

Synthesis of the vulnerability

An attacker can use several vulnerabilities of the iDRAC (Dell Remote Access Card) in Dell hardware.
Impacted products: OpenManage, Windows (platform) ~ not comprehensive, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 13/08/2013.
Identifiers: TA13-207A, VIGILANCE-VUL-13269.

Description of the vulnerability

Several vulnerabilities were announced in the iDRAC (Dell Remote Access Card) of Dell hardware. They are related to the IPMI (Intelligent Platform Management Interface).

The default password is constant. [severity:2/4]

An IPMI session can be encrypted. The "Cipher Suite 0" disables the encryption. However, due to a conception error, the authentication is also disabled. An attacker can therefore use an arbitrary password and no encryption, in order to execute IPMI commands. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2013-0740

Dell OpenManage Server Administrator: redirect via file

Synthesis of the vulnerability

An attacker can use the "file" parameter of Dell OpenManage Server Administrator, in order to redirect the victim to a malicious site.
Impacted products: OpenManage.
Severity: 1/4.
Consequences: data reading.
Provenance: document.
Creation date: 23/07/2013.
Identifiers: BID-61383, CVE-2013-0740, VIGILANCE-VUL-13153.

Description of the vulnerability

The Dell OpenManage Server Administrator product installs the "/HelpViewer" web page, which is used to display the help.

The "file" parameter of "/HelpViewer" indicates the document to display, using a redirection. However, this parameter can point to an external site.

An attacker can therefore use the "file" parameter of Dell OpenManage Server Administrator, in order to redirect the victim to a malicious site.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-6272

Dell OpenManage Server Administrator: Cross Site Scripting via index_main.htm

Synthesis of the vulnerability

An attacker can create a Cross Site Scripting in Dell OpenManage Server Administrator, in order to execute JavaScript code in the context of the web site.
Impacted products: OpenManage.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/01/2013.
Identifiers: BID-57212, CVE-2012-6272, VIGILANCE-VUL-12323, VU#950172.

Description of the vulnerability

The Dell OpenManage Server Administrator product offers help pages on a web server listening on port 1311/tcp, and reachable at:
  /help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm

The parameter "topic" of the index_main.htm page indicates the searched topic. However, this parameter is not filtered before being displayed in the generated HTML page.

An attacker can therefore create a Cross Site Scripting in Dell OpenManage Server Administrator, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-4955

Dell OpenManage Server Administrator: Cross Site Scripting

Synthesis of the vulnerability

An attacker can create a Cross Site Scripting in Dell OpenManage Server Administrator, in order to execute JavaScript code in the context of the web site.
Impacted products: OpenManage.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 15/11/2012.
Identifiers: BID-56518, CVE-2012-4955, VIGILANCE-VUL-12162, VU#558132.

Description of the vulnerability

An attacker can create a Cross Site Scripting in Dell OpenManage Server Administrator, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Dell EMC OpenManage: