• CVE-2021-36347
• CVE-2021-36301
• CVE-2020-5344
• CVE-2019-3705
• CVE-2018-15776
• CVE-2018-1244
• CVE-2018-1243
• CVE-2018-1212
• CVE-2018-1207
• CVE-2016-5685

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2024-22428 on NVD

Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Incorrect Default Permissions vulnerability. It may allow a local unprivileged user to escalate privileges and execute arbitrary code on the affected system. Dell recommends customers upgrade at the earliest opportunity.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2022-34436 on NVD

Dell iDRAC8 version 2.83.83.83 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker could exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2022-34435 on NVD

Dell iDRAC9 version 6.00.02.00 and prior contain an improper input validation vulnerability in Racadm when the firmware lock-down configuration is set. A remote high privileged attacker could exploit this vulnerability to bypass the firmware lock-down configuration and perform a firmware update.

• baseScore: 5.3
• baseSeverity: Medium
• More info about CVE-2022-24423 on NVD

Dell iDRAC8 versions prior to 2.83.83.83 contain a denial of service vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to cause resource exhaustion in the webserver, resulting in a denial of service condition.

• baseScore: 9.6
• baseSeverity: Critical
• More info about CVE-2022-24422 on NVD

Dell iDRAC9 versions 5.00.00.00 and later but prior to 5.10.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access to the VNC Console.

• baseScore: 5.9
• baseSeverity: Medium
• More info about CVE-2021-36348 on NVD

iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC.

• baseScore: 6.2
• baseSeverity: Medium
• More info about CVE-2021-36347 on NVD

iDRAC9 versions prior to 5.00.20.00 and iDRAC8 versions prior to 2.82.82.82 contain a stack-based buffer overflow vulnerability. An authenticated remote attacker with high privileges could potentially exploit this vulnerability to control process execution and gain access to the iDRAC operating system.

• baseScore: 5.3
• baseSeverity: Medium
• More info about CVE-2021-36346 on NVD

Dell iDRAC 8 prior to version 2.82.82.82 contain a denial of service vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability to deny access to the iDRAC webserver.

• baseScore: 5.9
• baseSeverity: Medium
• More info about CVE-2021-36301 on NVD

Dell iDRAC 9 prior to version 4.40.40.00 and iDRAC 8 prior to version 2.80.80.80 contain a Stack Buffer Overflow in Racadm. An authenticated remote attacker may potentially exploit this vulnerability to control process execution and gain access to the underlying operating system.

• baseScore: 6.5
• baseSeverity: Medium
• More info about CVE-2021-36300 on NVD

iDRAC9 versions prior to 5.00.00.00 contain an improper input validation vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability by sending a specially crafted malicious request to crash the webserver or cause information disclosure.

• baseScore: 7.1
• baseSeverity: High
• More info about CVE-2021-36299 on NVD

Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application.

• baseScore: 6.5
• baseSeverity: Medium
• More info about CVE-2021-21581 on NVD

Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link.

• baseScore: 4.3
• baseSeverity: Medium
• More info about CVE-2021-21580 on NVD

Dell EMC iDRAC8 versions prior to 2.80.80.80 & Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a Content spoofing / Text injection, where a malicious URL can inject text to present a customized message on the application that can phish users into believing that the message is legitimate.

• baseScore: 6.1
• baseSeverity: Medium
• More info about CVE-2021-21579 on NVD

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links.

• baseScore: 6.1
• baseSeverity: Medium
• More info about CVE-2021-21578 on NVD

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links.

• baseScore: 6.1
• baseSeverity: Medium
• More info about CVE-2021-21577 on NVD

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link.

• baseScore: 6.1
• baseSeverity: Medium
• More info about CVE-2021-21576 on NVD

Dell EMC iDRAC9 versions prior to 4.40.40.00 contain a DOM-based cross-site scripting vulnerability. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link.

• baseScore: 2.7
• baseSeverity: Low
• More info about CVE-2021-21544 on NVD

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain an improper authentication vulnerability. A remote authenticated malicious user with high privileges could potentially exploit this vulnerability to manipulate the username field under the comment section and set the value to any user.

• baseScore: 4.8
• baseSeverity: Medium
• More info about CVE-2021-21543 on NVD

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges could potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected parameters. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.

• baseScore: 4.8
• baseSeverity: Medium
• More info about CVE-2021-21542 on NVD

Dell EMC iDRAC9 versions prior to 4.40.10.00 contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges could potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected while generating a certificate. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.

• baseScore: 6.1
• baseSeverity: Medium
• More info about CVE-2021-21541 on NVD

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a DOM-based cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to DOM environment in the browser. The malicious code is then executed by the web browser in the context of the vulnerable web application.

• baseScore: 5.9
• baseSeverity: Medium
• More info about CVE-2021-21540 on NVD

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a stack-based overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability to overwrite configuration information by injecting arbitrarily large payload.

• baseScore: 5.9
• baseSeverity: Medium
• More info about CVE-2021-21539 on NVD

Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. A remote authenticated attacker could potentially exploit this vulnerability to gain elevated privileges when a user with higher privileges is simultaneously accessing iDRAC through the web interface.

• baseScore: 9.6
• baseSeverity: Critical
• More info about CVE-2021-21538 on NVD

Dell EMC iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the virtual console.

• baseScore: 6.1
• baseSeverity: Medium
• More info about CVE-2021-21510 on NVD

Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.

• baseScore: 8.0
• baseSeverity: High
• More info about CVE-2021-21505 on NVD

Dell EMC Integrated System for Microsoft Azure Stack Hub, versions 1906 – 2011, contain an undocumented default iDRAC account. A remote unauthenticated attacker, with the knowledge of the default credentials, could potentially exploit this to log in to the system to gain root privileges.

• baseScore: 7.1
• baseSeverity: High
• More info about CVE-2020-5366 on NVD

Dell EMC iDRAC9 versions prior to 4.20.20.20 contain a Path Traversal Vulnerability. A remote authenticated malicious user with low privileges could potentially exploit this vulnerability by manipulating input parameters to gain unauthorized read access to the arbitrary files.

• baseScore: 7.0
• baseSeverity: High
• More info about CVE-2020-5344 on NVD

Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70.70.70, 4.00.00.00 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may exploit this vulnerability to crash the affected process or execute arbitrary code on the system by sending specially crafted input data.

• baseScore: 6.1
• baseSeverity: Medium
• More info about CVE-2020-26198 on NVD

Dell EMC iDRAC9 versions prior to 4.32.10.00 and 4.40.00.00 contain a reflected cross-site scripting vulnerability in the iDRAC9 web application. A remote attacker could potentially exploit this vulnerability to run malicious HTML or JavaScript in a victim’s browser by tricking a victim in to following a specially crafted link.

• baseScore: 5.0
• baseSeverity: Medium
• More info about CVE-2019-3764 on NVD

Dell EMC iDRAC7 versions prior to 2.65.65.65, iDRAC8 versions prior to 2.70.70.70 and iDRAC9 versions prior to 3.36.36.36 contain an improper authorization vulnerability. A remote authenticated malicious iDRAC user with low privileges may potentially exploit this vulnerability to obtain sensitive information such as password hashes.

• baseScore: 8.6
• baseSeverity: HIGH
• More info about CVE-2019-3707 on NVD

Dell EMC iDRAC9 versions prior to 3.30.30.30 contain an authentication bypass vulnerability. A remote attacker may potentially exploit this vulnerability to bypass authentication and gain access to the system by sending specially crafted input data to the WS-MAN interface.

• baseScore: 8.6
• baseSeverity: HIGH
• More info about CVE-2019-3706 on NVD

Dell EMC iDRAC9 versions prior to 3.24.24.24, 3.21.26.22, 3.22.22.22 and 3.21.25.22 contain an authentication bypass vulnerability. A remote attacker may potentially exploit this vulnerability to bypass authentication and gain access to the system by sending specially crafted data to the iDRAC web interface.

• baseScore: 8.1
• baseSeverity: HIGH
• More info about CVE-2019-3705 on NVD

Dell EMC iDRAC6 versions prior to 2.92, iDRAC7/iDRAC8 versions prior to 2.61.60.60, and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22 and 3.23.23.23 contain a stack-based buffer overflow vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to crash the webserver or execute arbitrary code on the system with privileges of the webserver by sending specially crafted input data to the affected system.

• baseScore: 6.4
• baseSeverity: MEDIUM
• More info about CVE-2018-15776 on NVD

Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 contain an improper error handling vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to get access to the u-boot shell.

• baseScore: 3.8
• baseSeverity: LOW
• More info about CVE-2018-15774 on NVD

Dell EMC iDRAC7/iDRAC8 versions prior to 2.61.60.60 and iDRAC9 versions prior to 3.20.21.20, 3.21.24.22, 3.21.26.22, and 3.23.23.23 contain a privilege escalation vulnerability. An authenticated malicious iDRAC user with operator privileges could potentially exploit a permissions check flaw in the Redfish interface to gain administrator access.

• baseScore: 6.5
• baseSeverity: MEDIUM
• More info about CVE-2018-1249 on NVD

Dell EMC iDRAC9 versions prior to 3.21.21.21 did not enforce the use of TLS/SSL for a connection to iDRAC web server for certain URLs. A man-in-the-middle attacker could use this vulnerability to strip the SSL/TLS protection from a connection between a client and a server.

• baseScore: 8.8
• baseSeverity: HIGH
• More info about CVE-2018-1244 on NVD

Dell EMC iDRAC7/iDRAC8, versions prior to 2.60.60.60, and iDRAC9 versions prior to 3.21.21.21 contain a command injection vulnerability in the SNMP agent. A remote authenticated malicious iDRAC user with configuration privileges could potentially exploit this vulnerability to execute arbitrary commands on the iDRAC where SNMP alerting is enabled.

• baseScore: 7.5
• baseSeverity: HIGH
• More info about CVE-2018-1243 on NVD

Dell EMC iDRAC6, versions prior to 2.91, iDRAC7/iDRAC8, versions prior to 2.60.60.60 and iDRAC9, versions prior to 3.21.21.21, contain a weak CGI session ID vulnerability. The sessions invoked via CGI binaries use 96-bit numeric-only session ID values, which makes it easier for remote attackers to perform bruteforce session guessing attacks.

• baseScore: 8.8
• baseSeverity: HIGH
• More info about CVE-2018-1212 on NVD

The web-based diagnostics console in Dell EMC iDRAC6 (Monolithic versions prior to 2.91 and Modular all versions) contains a command injection vulnerability. A remote authenticated malicious iDRAC user with access to the diagnostics console could potentially exploit this vulnerability to execute arbitrary commands as root on the affected iDRAC system.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2018-1211 on NVD

Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a path traversal vulnerability in its Web server's URI parser which could be used to obtain specific sensitive data without authentication. A remote unauthenticated attacker may be able to read configuration settings from the iDRAC by querying specific URI strings.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2018-1207 on NVD

Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code.

• baseScore: 6.6
• baseSeverity: MEDIUM
• More info about CVE-2018-11053 on NVD

Dell EMC iDRAC Service Module for all supported Linux and XenServer versions v3.0.1, v3.0.2, v3.1.0, v3.2.0, when started, changes the default file permission of the hosts file of the host operating system (/etc/hosts) to world writable. A malicious low privileged operating system user or process could modify the host file and potentially redirect traffic from the intended destination to sites hosting malicious or unwanted content.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2016-5685 on NVD

Dell iDRAC7 and iDRAC8 devices with firmware before 2.40.40.40 allow authenticated users to gain Bash shell access through a string injection.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2015-7275 on NVD

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.85 and 7/8 before 2.30.30.30 has XSS.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2015-7274 on NVD

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 allows remote attackers to execute arbitrary administrative HTTP commands.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2015-7273 on NVD

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2015-7272 on NVD

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long SSH username or input.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2015-7271 on NVD

Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2015-7270 on NVD

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows directory traversal.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2014-8272 on NVD

The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2013-4785 on NVD

The web interface on the Dell iDRAC6 with firmware before 1.95 allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. NOTE: the vendor disputes the significance of this issue, stating "DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet."

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2013-4783 on NVD

The Dell iDRAC6 with firmware 1.x before 1.92 and 2.x and 3.x before 3.42, and iDRAC7 with firmware before 1.23.23, allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher zero) and an arbitrary password. NOTE: the vendor disputes the significance of this issue, stating "DRAC's are intended to be on a separate management network; they are not designed nor intended to be placed on or connected to the Internet."

• baseScore: NULL
• baseSeverity: NULL
• More info about CVE-2013-3589 on NVD

Cross-site scripting (XSS) vulnerability in the login page in the Administrative Web Interface on Dell iDRAC6 monolithic devices with firmware before 1.96 and iDRAC7 devices with firmware before 1.46.45 allows remote attackers to inject arbitrary web script or HTML via the ErrorMsg parameter.

LastUpdate: Sat Jun 1 20:12:01 2024