CVE-2024-22454

Name of the Vulnerable Software and Affected Versions Dell PowerProtect Data Manager versions 19.15 and prior

Description The issue is related to a weak password recovery mechanism for forgotten passwords in Dell PowerProtect Data Manager. A remote unauthenticated attacker could potentially exploit this, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change.

Recommendations For versions 19.15 and prior, consider disabling the password recovery feature until a patch is available to prevent exploitation. Restrict access to the password reset functionality to minimize the risk of unauthorized access. Avoid using the password recovery mechanism until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.