CVE-2024-24903

Name of the Vulnerable Software and Affected Versions Dell Secure Connect Gateway (SCG) Policy Manager version 5.10+

Description The issue is related to a weak password recovery mechanism for forgotten passwords. An adjacent network low privileged attacker could potentially exploit this, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change.

Recommendations For version 5.10+, consider disabling the password recovery mechanism until a patch is available to prevent exploitation. Restrict access to the password reset functionality to minimize the risk of unauthorized password changes. Avoid using the password recovery feature in the affected version until the issue is resolved.