CVE-2023-44278
https://notcve.org/view.php?id=CVE-2023-44278
Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. Dell PowerProtect DD, versiones anteriores a 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contienen una vulnerabilidad de path traversal. Un atacante local con privilegios elevados podría explotar esta vulnerabilidad para obtener acceso de lectura y escritura no autorizado a los archivos del sistema operativo almacenados en el sistema de archivos del servidor, con los privilegios de la aplicación en ejecución. • https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2023-44277
https://notcve.org/view.php?id=CVE-2023-44277
Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. Dell PowerProtect DD, versiones anteriores a 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contienen una vulnerabilidad de inyección de comandos del sistema operativo en la Interfaz de Línea de Comandos (CLI). Un atacante local con pocos privilegios podría explotar esta vulnerabilidad, lo que llevaría a la ejecución de comandos arbitrarios del sistema operativo en el sistema operativo subyacente de la aplicación, con los privilegios de la aplicación vulnerable. • https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2022-45102
https://notcve.org/view.php?id=CVE-2022-45102
Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary \u2018Host\u2019 header values to poison a web cache or trigger redirections. • https://www.dell.com/support/kbdoc/en-us/000206329/dsa-2022-348-dell-emc-data-protection-central-security-update-for-proprietary-code-vulnerability • CWE-116: Improper Encoding or Escaping of Output CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVE-2019-18582
https://notcve.org/view.php?id=CVE-2019-18582
Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system. Dell EMC Data Protection Advisor versiones 6.3, 6.4, 6.5, 18.2 anteriores al parche 83 y las versiones 19.1 anteriores al parche 71, contiene una vulnerabilidad de inyección de plantilla del lado del servidor en la API REST. Un usuario malicioso autenticado remoto con privilegios administrativos puede explotar esta vulnerabilidad para inyectar scripts de generación de reportes maliciosos en el servidor. • https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-18581
https://notcve.org/view.php?id=CVE-2019-18581
Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system. Dell EMC Data Protection Advisor versiones 6.3, 6.4, 6.5, 18.2 anteriores al parche 83 y las versiones 19.1 anteriores al parche 71 contiene una vulnerabilidad de falta de autorización del servidor en la API REST. Un usuario malicioso autenticado remoto con privilegios administrativos puede explotar esta vulnerabilidad para alterar la lista permitida de comandos de Sistema Operativo de la aplicación. • https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities • CWE-862: Missing Authorization •