Multiple Flaws in Dell PowerProtect Products Execute Commands

Multiple vulnerabilities have been discovered in Dell's PowerProtect, which were associated with SQL injection, cross-site scripting, privilege escalation, command injection, and path tracing.
The severity for these vulnerabilities ranges between 4.3 and 8.8.
Relevant CVEs have been assigned to all these vulnerabilities, with CVE-2023-44286 associated with Cross-Site Scripting having the highest severity and CVE-2023-44284 with the lowest severity among the discovered vulnerabilities in Dell PowerProtect.
Nearly 8 vulnerabilities have been disclosed, including 4 OS command injections, 1 Path Traversal, 1 SQL injection, 1 Cross-site scripting, and 1 Privilege Escalation.
CVE-2023-48668, CVE-2023-44277, CVE-2023-48667, and CVE-2023-44279 were related to OS command injection vulnerability which can be exploited by a threat actor to potentially execute arbitrary OS commands or bypass security restrictions.
A threat actor could also potentially exploit some of these vulnerabilities and perform various activities such as taking over the system, executing OS commands with vulnerable application privileges, and many others.
CVE-2023-44278 is related to the Path Traversal vulnerability, which threat actors can exploit to gain unauthorized read and write access to the OS files stored on the server filesystem.
The severity for this vulnerability is given as 6.7.
CVE-2023-44284 is related to SQL injection vulnerability, which a threat actor could exploit to execute SQL commands on the application's backend database, resulting in unauthorized read access to the application data.
The severity for this vulnerability has been given as 4.3.
CVE-2023-44286 is related to cross-site scripting vulnerability, which the threat actor can potentially exploit to execute Javascript code in a victim user's DOM environment of the browser.
Successful exploitation could lead to information disclosure, session theft, or client-side request forgery.
The severity of this vulnerability has been given as 8.8.
CVE-2023-44285 is linked with a Privilege Escalation vulnerability, which a threat actor can exploit with low privilege to escalate their privilege due to improper access control.
The severity for this vulnerability has been given as 7.8.
10.1.15 and above to stay on LTS2023 7.10or7.
7.5.25 and above to stay on LTS2022 7.7 6.2.1.100 and below 6.2.1.110 and above CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 Dell PowerProtect DD management Center 7.0 to 7.12.0.0 7.13.0.10 and aboveor7.
7.5.25 and above to stay on LTS2022 7.7 6.2.1.100 and below 6.2.1.110 and above.
The security advisory published by Dell provides detailed information about these vulnerabilities, their CVSS vector and other information.


This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 15 Dec 2023 11:45:04 +0000


Cyber News related to Multiple Flaws in Dell PowerProtect Products Execute Commands

Dell Urges Customers to Patch Vulnerabilities in PowerProtect Products - Dell is urging customers of its PowerProtect products to review a newly released security advisory and patch a series of potentially serious vulnerabilities. The vulnerabilities impact PowerProtect Data Domain series appliances, which are designed to ...
11 months ago Packetstormsecurity.com
Multiple Flaws in Dell PowerProtect Products Execute Commands - Multiple vulnerabilities have been discovered in Dell's PowerProtect, which were associated with SQL injection, cross-site scripting, privilege escalation, command injection, and path tracing. The severity for these vulnerabilities ranges between 4.3 ...
11 months ago Cybersecuritynews.com
CVE-2018-1183 - In Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.8, Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.8, Dell EMC VASA Provider Virtual Appliance versions prior to 8.4.0.512, Dell EMC SMIS versions prior to ...
6 years ago
Discovering SSRF Flaws in Microsoft Azure Services - Microsoft Azure is an incredibly popular cloud computing platform and its services are used around the world. Recently, security researchers uncovered several Server-Side Request Forgery (SSRF) flaws in many of Microsoft Azure’s services. This type ...
1 year ago Securityaffairs.com
Over 1,450 pfSense servers exposed to RCE attacks via bug chain - Roughly 1,450 pfSense instances exposed online are vulnerable to command injection and cross-site scripting flaws that, if chained, could enable attackers to perform remote code execution on the appliance. PfSense is a popular open-source firewall ...
11 months ago Bleepingcomputer.com
CVE-2020-5356 - Dell PowerProtect Data Manager (PPDM) versions prior to 19.4 and Dell PowerProtect X400 versions prior to 3.2 contain an improper authorization vulnerability. A remote authenticated malicious user may download any file from the affected PowerProtect ...
4 years ago
Dell says names, addresses leaked after hacker claims access to 49M records - Dell is warning customers that their names, physical addresses and some order information may have been accessed in a recent cybersecurity incident. A threat actor known as Menelik made a post on the cybercrime site BreachForums on April 28 claiming ...
6 months ago Packetstormsecurity.com
Dell Data Breach Exposes Personal Information Of 49 Million - Personal details such as names and residential addresses were compromised in the breach, while sensitive financial information remained secure. Dell, the renowned computer manufacturer, has issued a cautionary notice to its customers regarding a ...
6 months ago Cysecurity.news
Google Chrome Six Flaws: Should You be Worried? - Google Chrome is one of the most widely used web browsers around the world, and while it is generally more secure than its predecessors, multiple security flaws have been recently revealed that users should be aware of. Recently, the Google Chrome ...
1 year ago Securityaffairs.com
CISA adds Check Point Quantum Security Gateways and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog - CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities catalog. CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog. CISA adds ...
5 months ago Securityaffairs.com
178K+ SonicWall Firewalls Vulnerable to DoS, RCE Attacks - Two unauthenticated denial-of-service vulnerabilities are threatening the security of SonicWall next-generation firewall devices, exposing more than 178,000 of them to both DoS as well as remote code execution attacks. SonicWall products affected are ...
10 months ago Darkreading.com
CVE-2018-1216 - A hard-coded password vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement): Dell EMC Unisphere ...
6 years ago
CVE-2018-1215 - An arbitrary file upload vulnerability was discovered in vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement): Dell EMC ...
6 years ago
Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs - Today is Microsoft's March 2024 Patch Tuesday, and security updates have been released for 60 vulnerabilities, including eighteen remote code execution flaws. This Patch Tuesday fixes only two critical vulnerabilities: Hyper-V remote code execution ...
8 months ago Bleepingcomputer.com
Microsoft: Multiple Perforce Server Flaws Allow for Network Takeover - Microsoft has identified four vulnerabilities in the Perforce source-code management platform, the most critical of which gives attackers access to a highly privileged Windows OS account to potentially take over the system via remote code execution ...
11 months ago Darkreading.com
Samsung Galaxy Store Flaws Put Millions of Devices Vulnerable - Researchers have discovered severe security flaws in the Samsung Galaxy Store application. These vulnerabilities put millions of users, including those who use Samsung phones, tablets, smart TVs, and wearables, at risk of cyberattacks. The security ...
1 year ago Securityaffairs.com
Nissan NA breach, VMware Pwn2Own fix, GE Ultrasound flaws - The car manufacturer has disclosed that a breach discovered last November has exposed personal data of more than 53,000 current and former employees of the company. This breach occurred during a hit on its external VPN by a threat actor who then ...
6 months ago Cisoseries.com
Threat Groups Rush to Exploit JetBrains' TeamCity CI/CD Security Flaws - The cyberthreats to users of JetBrains' TeamCity CI/CD platform continue to mount a week after the company issued two fixes to security vulnerabilities, with one cybersecurity vendor noting a ransomware attack that included exploiting the flaws for ...
8 months ago Securityboulevard.com
Privilege elevation exploits used in over 50% of insider attacks - Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner. A report by ...
11 months ago Bleepingcomputer.com
New ATM Malware family emerged in the threat landscape - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Raspberry Robin spotted using two ...
5 months ago Securityaffairs.com
Sav-Rx data breach impacted over 2.8 million individuals - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks. Microsoft fixed two zero-day bugs exploited in malware ...
5 months ago Securityaffairs.com
Exploits released for critical Jenkins RCE flaw, patch now - Multiple proof-of-concept exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. ...
9 months ago Bleepingcomputer.com
MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers - Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a ...
4 months ago Darkreading.com
Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day - Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs. While eight remote code execution bugs were fixed, Microsoft only rated three ...
11 months ago Bleepingcomputer.com
Dell warns of data breach, 49 million customers allegedly affected - Dell is warning customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers. The computer maker began emailing data breach notifications to customers yesterday, stating that a Dell portal ...
6 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)