Weak Password Recovery Mechanism in Dell SCG Policy Manager Could Lead to Unauthorized Access
CVE-2024-24903

8HIGH

Key Information:

Vendor: Dell
Status: Secure Connect Gateway (scg) Policy Manager
Vendor: CVE Published:; 1 March 2024

Summary

The Dell Secure Connect Gateway Policy Manager, starting from version 5.10, exhibits a significant vulnerability due to its weak password recovery mechanism. This flaw allows an adjacent network attacker with low privileges to potentially exploit the system. The attacker may retrieve the password reset token without necessary authorization, subsequently allowing them to change the password and gain unauthorized access to the application with the privileges associated with the compromised account. It is crucial for users to review security practices regarding password recovery mechanisms to mitigate risks associated with unauthorized access.

Affected Version(s)

Secure Connect Gateway (SCG) Policy Manager 5.10 <= 5.20.00.16

References

https://www.dell.com/support/kbdoc/en-us/000222330/dsa-20...

vendor-advisory

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2024
Vulnerability Reserved
Feb 1, 2024

Credit

kosmosec