CVE-2024-25971

Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000223556/dsa-2024-132-security-update-dell-power-protect-data-manager-for-multiple-security-vulnerabilities	Vendor Advisory
https://www.dell.com/support/kbdoc/en-us/000223556/dsa-2024-132-security-update-dell-power-protect-data-manager-for-multiple-security-vulnerabilities	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dell:powerprotect_data_manager:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-03-28 19:15

Updated : 2025-01-27 18:55

NVD link : CVE-2024-25971

Mitre link : CVE-2024-25971

CVE.ORG link : CVE-2024-25971

JSON object : View

Products Affected

dell

powerprotect_data_manager

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2024-25971", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2024-03-28T19:15:48.373", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000223556/dsa-2024-132-security-update-dell-power-protect-data-manager-for-multiple-security-vulnerabilities", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.dell.com/support/kbdoc/en-us/000223556/dsa-2024-132-security-update-dell-power-protect-data-manager-for-multiple-security-vulnerabilities", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Dell PowerProtect Data Manager, version 19.15, contains an XML External Entity Injection vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to information disclosure, denial-of-service."}, {"lang": "es", "value": "Dell PowerProtect Data Manager, versi\u00f3n 19.15, contiene una vulnerabilidad de inyecci\u00f3n de entidad externa XML. Un atacante remoto con privilegios elevados podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda la divulgaci\u00f3n de informaci\u00f3n y la denegaci\u00f3n de servicio."}], "lastModified": "2025-01-27T18:55:14.810", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:powerprotect_data_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4F26D64-9012-4136-92F7-53E6A8FBF3A2", "versionEndExcluding": "19.16"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}