Stored Cross-Site Scripting Vulnerability in Dell SCG Policy Manager Could Lead to Information Disclosure, Session Theft, or Client-Side Request Forgery
CVE-2024-24904

7.6HIGH

Key Information:

Vendor: Dell
Status: Secure Connect Gateway (scg) Policy Manager
Vendor: CVE Published:; 1 March 2024

Summary

The Dell Secure Connect Gateway (SCG) Policy Manager exhibits a vulnerability that allows for stored cross-site scripting (XSS) attacks. This issue enables high-privileged attackers in adjacent networks to inject malicious HTML or JavaScript into a trusted application data store. When users interact with the affected application, the injected code can execute in their web browsers, potentially leading to serious consequences including information disclosure, session theft, and client-side request forgery. Organizations using the Dell SCG Policy Manager should prioritize applying available updates to mitigate this vulnerability.

Affected Version(s)

Secure Connect Gateway (SCG) Policy Manager < 5.22.00.16

References

https://www.dell.com/support/kbdoc/en-us/000222330/dsa-20...

vendor-advisory

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 1, 2024
Vulnerability Reserved
Feb 1, 2024

Credit

kosmosec