ATREDIS-2018-0007: Cross-Site Scripting in HPE iLO Web UI
- Hewlett Packard Enterprise
- HPE iLO 5 (v1.35 and below)
The Integrated Lights-Out (iLO) web interface is vulnerable to cross-site scripting (XSS), as it does not properly sanitize the value of the iLO's "domain name" setting. An attacker able to exploit this vulnerability could potentially force an authenticated user of the iLO web interface to perform administrative commands on their behalf and/or expose sensitive information.
HPE has provided an updated firmware image for iLO that addresses the Cross-Site Scripting vulnerability.
This vulnerability was found by Zach Lanier of Atredis Partners
- 2018-12-04: Atredis Partners sent vulnerability details to HPE
- 2018-12-05: HPE acknowledged the report
- 2019-01-22: Atredis Partners sent vulnerability details to CERT/CC (VRF#19-01-FLMHP)
- 2019-01-24: HPE indicates that fix is in a pending release
- 2019-02-04: HPE releases security bulletin and firmware update addressing the issue
- 2019-03-08: Atredis Partners publishes this advisory
The DHCP "domain name" could contain a simple HTML
The iLO web service has no controls in place, such as the use of certain HTTP headers, that would mitigate this issue.