GMS ECM multiple vulnerabilities

SonicWall Security Advisory

SonicWall GMS (Virtual Appliance, Windows) – 9.3.4 and earlier versions are vulnerable to the following security issues.

1) CVE-2024-29010 – GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability.
The XML document processed in the GMS ECM endpoint is vulnerable to XML external entity (XXE) injection vulnerability leading to information disclosure.
CVSS Score: 7.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE-611: Improper Restriction of XML External Entity Reference
2) CVE-2024-29011 – GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability.
Use of hard-coded password in the GMS ECM endpoint leading to authentication bypass vulnerability.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-259: Use of Hard-coded Password

While it is crucial to highlight that SonicWall Analytics products remain unaffected by these vulnerabilities. Additionally, there is no substantiated evidence to suggest that these vulnerabilities are currently being actively exploited in real-world scenarios.

SonicWall strongly recommends that organizations running older versions of GMS builds upgrade to newer fixed versions.

CVE: CVE-2024-29010, CVE-2024-29011
Last updated: April 30, 2024, 7:20 p.m.

READ MORE