SB2024082111 - Multiple vulnerabilities in Dell Secure Connect Gateway
Published: August 21, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2024-28965)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to SCG exposed for an internal enable REST API (if enabled by Admin user from UI). A remote user can execute certain Internal APIs applicable only for Admin Users on the application's backend database that could potentially allow access to restricted resources and change of state.
2) Improper access control (CVE-ID: CVE-2024-28966)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote user can exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.
3) Improper access control (CVE-ID: CVE-2024-28967)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to SCG exposed for an internal maintenance REST API (if enabled by Admin user from UI). A remote user can exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could allow access to restricted resources and change of state.
4) Improper access control (CVE-ID: CVE-2024-28968)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to SCG exposed for internal email and collection settings REST APIs (if enabled by Admin user from UI). A remote user can exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state.
5) Improper access control (CVE-ID: CVE-2024-28969)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote user can exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources.
6) SQL injection (CVE-ID: CVE-2024-29168)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing potential unauthorized access and modification of application data.
7) SQL injection (CVE-ID: CVE-2024-29169)
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing potential unauthorized access and modification of application data.
Remediation
Install update from vendor's website.