U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/o:dell:idrac7_firmware:1.00.00
There are 9 matching records.
Displaying matches 1 through 9.
Vuln ID Summary CVSS Severity
CVE-2020-5344

Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70.70.70, 4.00.00.00 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may exploit this vulnerability to crash the affected process or execute arbitrary code on the system by sending specially crafted input data.

Published: March 31, 2020; 6:15:14 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2019-3764

Dell EMC iDRAC7 versions prior to 2.65.65.65, iDRAC8 versions prior to 2.70.70.70 and iDRAC9 versions prior to 3.36.36.36 contain an improper authorization vulnerability. A remote authenticated malicious iDRAC user with low privileges may potentially exploit this vulnerability to obtain sensitive information such as password hashes.

Published: November 07, 2019; 1:15:12 PM -0500
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2019-3705

Dell EMC iDRAC6 versions prior to 2.92, iDRAC7/iDRAC8 versions prior to 2.61.60.60, and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22 and 3.23.23.23 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to crash the webserver or execute arbitrary code on the system with privileges of the webserver by sending specially crafted input data to the affected system.

Published: April 26, 2019; 3:29:00 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2018-15776

Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 contain an improper error handling vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to get access to the u-boot shell.

Published: December 13, 2018; 5:29:00 PM -0500
V3.0: 6.8 MEDIUM
V2.0: 4.6 MEDIUM
CVE-2018-15774

Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.

Published: December 13, 2018; 5:29:00 PM -0500
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2018-1244

Dell EMC iDRAC7/iDRAC8, versions prior to 2.60.60.60, and iDRAC9 versions prior to 3.21.21.21 contain a command injection vulnerability in the SNMP agent. A remote authenticated malicious iDRAC user with configuration privileges could potentially exploit this vulnerability to execute arbitrary commands on the iDRAC where SNMP alerting is enabled.

Published: July 02, 2018; 1:29:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2018-1243

Dell EMC iDRAC6, versions prior to 2.91, iDRAC7/iDRAC8, versions prior to 2.60.60.60 and iDRAC9, versions prior to 3.21.21.21, contain a weak CGI session ID vulnerability. The sessions invoked via CGI binaries use 96-bit numeric-only session ID values, which makes it easier for remote attackers to perform bruteforce session guessing attacks.

Published: July 02, 2018; 1:29:00 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2016-5685

Dell iDRAC7 and iDRAC8 devices with firmware before 2.40.40.40 allow authenticated users to gain Bash shell access through a string injection.

Published: November 29, 2016; 10:59:00 AM -0500
V3.0: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2013-3589

Cross-site scripting (XSS) vulnerability in the login page in the Administrative Web Interface on Dell iDRAC6 monolithic devices with firmware before 1.96 and iDRAC7 devices with firmware before 1.46.45 allows remote attackers to inject arbitrary web script or HTML via the ErrorMsg parameter.

Published: September 24, 2013; 6:35:51 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM