CVE-2023-44284

Name

SQL Injection

CVSS score

4.3 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Product name

Dell PowerProtect DD

Confirmed exploitable versions

prior to: 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110

Researcher

Jakub Brzozowski (redfr0g), Franciszek Kalinowski, Stanisław Koza

Description

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15 and 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database, causing unauthorized read access to application data.

Proof-of-concept

PoC: TBA

Timeline

05-10-2023 - vulnerability reported to vendor
10-01-2024 - public security advisory released

References

https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44284