GMS ECM Multiple Vulnerabilities

First Published:05/01/2024 Last Updated:05/01/2024

SonicWall GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions are vulnerable to the following security issues.


1) CVE-2024-29010 - GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability.
The XML document processed in the GMS ECM endpoint is vulnerable to XML external entity (XXE) injection vulnerability leading to information disclosure.
CVSS Score: 7.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE-611: Improper Restriction of XML External Entity Reference


2) CVE-2024-29011 - GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability.
Use of hard-coded password in the GMS ECM endpoint leading to authentication bypass vulnerability.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-259: Use of Hard-coded Password


To learn more please visit https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0007.