Stored Cross-Site Scripting Vulnerability in Dell SCG Policy Manager Could Lead to Information Disclosure, Session Theft, or Client-Side Request Forgery
CVE-2024-24907

7.6HIGH

Key Information:

Vendor: Dell
Status: Secure Connect Gateway (scg) Policy Manager
Vendor: CVE Published:; 1 March 2024

Summary

Dell Secure Connect Gateway (SCG) Policy Manager contains a vulnerability that allows for Stored Cross-Site Scripting (XSS) through the Filters page. A high-privileged attacker on an adjacent network can exploit this flaw to store malicious HTML or JavaScript code within a trusted application data store. When an unsuspecting user accesses this data store via their web browser, the malicious code executes in the context of the web application. This exploitation can lead to significant security concerns, including unauthorized information disclosure, session theft, and the potential for client-side request forgery.

Affected Version(s)

Secure Connect Gateway (SCG) Policy Manager < 5.22.00.16

References

https://www.dell.com/support/kbdoc/en-us/000222330/dsa-20...

vendor-advisory

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 1, 2024
Vulnerability Reserved
Feb 1, 2024

Credit

juust4