Detections
Analytics
iLO 3 < 1.65 / iLO 4 < 1.32 Multiple Vulnerabilities
medium Nessus Plugin ID 122188
Language:
Synopsis
The remote HP Integrated Lights-Out (iLO) server's web interface is affected by multiple vulnerabilities.Description
According to its version number, the firmware of Integrated Lights-Out running on the remote web server is iLO 3 prior to 1.65 or iLO 4 prior to 1.32. It is, therefore, affected by multiple vulnerabilities:- A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session (CVE-2013-4842).
- An information disclosure vulnerability exists in Integrated Lights-Out (iLO) 3 & 4 due to an undisclosed vulnerability. An unauthenticated, remote attacker can exploit this to disclose potentially sensitive information (CVE-2013-4843).
Solution
For iLO 3, upgrade firmware to 1.65 or later. For iLO 4, upgrade firmware to 1.32 or later.See Also
Plugin Details
Severity: Medium
ID: 122188
File Name: ilo_HPSBHF_02939.nasl
Version: 1.5
Type: remote
Family: CGI abuses
Published: 2/14/2019
Updated: 5/18/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.7
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N
CVSS Score Source: CVE-2013-4843
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Temporal Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:hp:integrated_lights-out_firmware
Required KB Items: www/ilo, ilo/generation, ilo/firmware
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 11/14/2013
Vulnerability Publication Date: 12/9/2013
Reference Information
CVE: CVE-2013-4842, CVE-2013-4843