CVE-2021-46846 : Cross Site Scripting vulnerability in Hewlett Packard Enterprise Integrated Ligh

Products affected by CVE-2021-46846

HP » Integrated Lights-out 5 Firmware
Versions before (<) 2.44
cpe:2.3:o:hp:integrated_lights-out_5_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: HP » 3par Service Processor » Version: N/A
When used together with: HP » Apollo R2000 Chassis » Version: N/A
When used together with: HPE » Apollo 2000 Gen10 Plus System » Version: N/A
When used together with: HPE » Apollo 4200 Gen10 Server » Version: N/A
When used together with: HPE » Apollo 4510 Gen10 System » Version: N/A
When used together with: HPE » Apollo 6500 Gen10 Plus System » Version: N/A
When used together with: HPE » Integrated Lights-out 5 » Version: N/A
When used together with: HPE » Proliant Bl460c Gen10 Server Blade » Version: N/A
When used together with: HPE » Proliant Dl120 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl160 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl180 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl20 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl325 Gen10 Plus Server » Version: N/A
When used together with: HPE » Proliant Dl325 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl360 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl380 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl385 Gen10 Plus Server » Version: N/A
When used together with: HPE » Proliant Dl385 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl560 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dl580 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Dx385 Gen10 Plus Server » Version: N/A
When used together with: HPE » Proliant E910 Server Blade » Version: N/A
When used together with: HPE » Proliant E910t Server Blade » Version: N/A
When used together with: HPE » Proliant M750 Server Blade » Version: N/A
When used together with: HPE » Proliant Microserver Gen10 » Version: N/A
When used together with: HPE » Proliant Microserver Gen10 Plus » Version: N/A
When used together with: HPE » Proliant Ml110 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Ml30 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Ml350 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Xl170r Gen10 Server » Version: N/A
When used together with: HPE » Proliant Xl190r Gen10 Server » Version: N/A
When used together with: HPE » Proliant Xl220n Gen10 Plus Server » Version: N/A
When used together with: HPE » Proliant Xl230k Gen10 Server » Version: N/A
When used together with: HPE » Proliant Xl270d Gen10 Server » Version: N/A
When used together with: HPE » Proliant Xl290n Gen10 Plus Server » Version: N/A
When used together with: HPE » Proliant Xl450 Gen10 Server » Version: N/A
When used together with: HPE » Proliant Xl645d Gen10 Plus Server » Version: N/A
When used together with: HPE » Proliant Xl675d Gen10 Plus Server » Version: N/A
When used together with: HPE » Storage File Controller » Version: N/A
When used together with: HPE » Storeeasy 1460 Storage » Version: N/A
When used together with: HPE » Storeeasy 1560 Storage » Version: N/A
When used together with: HPE » Storeeasy 1660 Expanded Storage » Version: N/A
When used together with: HPE » Storeeasy 1660 Storage » Version: N/A
When used together with: HPE » Storeeasy 1860 Storage » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-46846

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 26 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-46846

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L	0.9	5.5	Hewlett Packard Enterprise (HPE)
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: Low

CWE ids for CVE-2021-46846

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-46846

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04133en_us

Document - HPESBHF04133 rev.2 - HPE ProLiant Servers, Apollo Products, Moonshot and Edgeline Blades, and Storage Products with Integrated Lights-Out 5 (iLO 5), Multiple Remote and Local Vulnerabilitie
Vendor Advisory

Vulnerability Details : CVE-2021-46846

Products affected by CVE-2021-46846

Exploit prediction scoring system (EPSS) score for CVE-2021-46846

CVSS scores for CVE-2021-46846

CWE ids for CVE-2021-46846

References for CVE-2021-46846