CVE-2019-18582
CVE-2019-18582
In short
Dell EMC Data Protection Advisor allows administrators to inject malicious code through report generation, which can execute commands on the server. This is dangerous because attackers with admin access can take control of the system.
Technical detail
Server-side template injection vulnerability in the REST API allows authenticated administrators to inject arbitrary code into report generation scripts, leading to OS command execution with the privileges of the DPA service user. Attack vector requires valid administrative credentials and interaction with the affected REST API endpoint.
Summary generated and translated by AI from the official description.
Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system.
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected products
Dell · Data Protection AdvisorWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →