Details of VAR-202403-0113

ID

VAR-202403-0113

CVE

CVE-2024-24905

TITLE

Dell's secure connect gateway Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2024-014065

DESCRIPTION

Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. No detailed vulnerability details are currently provided

Trust: 2.16

sources: NVD: CVE-2024-24905 // JVNDB: JVNDB-2024-014065 // CNVD: CNVD-2024-20302

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-20302

AFFECTED PRODUCTS

vendor:	dell	model:	secure connect gateway	scope:	lt	version:	5.22.00.16	Trust: 1.0
vendor:	デル	model:	secure connect gateway	scope:	eq	version:	-	Trust: 0.8
vendor:	デル	model:	secure connect gateway	scope:	eq	version:	5.22.00.16	Trust: 0.8
vendor:	デル	model:	secure connect gateway	scope:	-	version:	-	Trust: 0.8
vendor:	dell	model:	emc secure connect gateway	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2024-20302 // JVNDB: JVNDB-2024-014065 // NVD: CVE-2024-24905

CVSS

SEVERITY

CVSSV2

CVSSV3

security_alert@emc.com:	CVE-2024-24905
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-24905
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-24905
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-20302
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-20302
severity:	MEDIUM
baseScore:	5.7
vectorString:	AV:A/AC:L/AU:M/C:C/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	4.1
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

security_alert@emc.com:	CVE-2024-24905
baseSeverity:	HIGH
baseScore:	7.6
vectorString:	CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	5.8
version:	3.1
Trust: 2.0
NVD:	CVE-2024-24905
baseSeverity:	HIGH
baseScore:	7.6
vectorString:	CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-20302 // JVNDB: JVNDB-2024-014065 // NVD: CVE-2024-24905 // NVD: CVE-2024-24905

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-014065 // NVD: CVE-2024-24905

PATCH

title:

Patch for Dell Secure Connect Gateway Cross-Site Scripting Vulnerability (CNVD-2024-20302)

url:

https://www.cnvd.org.cn/patchInfo/show/543971

Trust: 0.6

sources: CNVD: CNVD-2024-20302

EXTERNAL IDS

db:	NVD	id:	CVE-2024-24905	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-014065	Trust: 0.8
db:	CNVD	id:	CNVD-2024-20302	Trust: 0.6

sources: CNVD: CNVD-2024-20302 // JVNDB: JVNDB-2024-014065 // NVD: CVE-2024-24905

REFERENCES

url:	https://www.dell.com/support/kbdoc/en-us/000222330/dsa-2024-077-security-update-for-dell-secure-connect-gateway-policy-manager-vulnerabilities	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-24905	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2024-24905/	Trust: 0.6

sources: CNVD: CNVD-2024-20302 // JVNDB: JVNDB-2024-014065 // NVD: CVE-2024-24905

SOURCES

db:	CNVD	id:	CNVD-2024-20302
db:	JVNDB	id:	JVNDB-2024-014065
db:	NVD	id:	CVE-2024-24905

LAST UPDATE DATE

2024-12-11T22:51:58.384000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-20302	date:	2024-04-25T00:00:00
db:	JVNDB	id:	JVNDB-2024-014065	date:	2024-12-06T00:33:00
db:	NVD	id:	CVE-2024-24905	date:	2024-12-05T16:47:29.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-20302	date:	2024-04-18T00:00:00
db:	JVNDB	id:	JVNDB-2024-014065	date:	2024-12-06T00:00:00
db:	NVD	id:	CVE-2024-24905	date:	2024-03-01T14:15:53.683