GMS ECM Multiple Vulnerabilities

SonicWall GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions are vulnerable to the following security issues.

1) CVE-2024-29010 - GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability.
The XML document processed in the GMS ECM endpoint is vulnerable to XML external entity (XXE) injection vulnerability leading to information disclosure.
CVSS Score: 7.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE-611: Improper Restriction of XML External Entity Reference

2) CVE-2024-29011 - GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability.
Use of hard-coded password in the GMS ECM endpoint leading to authentication bypass vulnerability.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-259: Use of Hard-coded Password

To learn more please visit https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0007.

Previous Alert
February 9, 2024
Product Notice: Capture Client 3.7.10 & NetExtender 10.2.337 affected by SFPMONITOR.SYS KOOB Write vulnerability
Read More
Next Alert
May 17, 2024
How to stop reboot loops in SonicOS 7.1.1-7040 or 7.1.1-7047
Read More