Weak password recovery in Dell PowerProtect Data Manager (pre-19.15)
CVE-2024-22454 Published on February 13, 2024
Dell PowerProtect Data Manager, version 19.15 and prior versions, contain a weak password recovery mechanism for forgotten passwords. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change
Vulnerability Analysis
CVE-2024-22454 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Weak Password Recovery Mechanism for Forgotten Password
The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Products Associated with CVE-2024-22454
Want to know whenever a new CVE is published for Dell Powerprotect Data Manager? stack.watch will email you.
Affected Versions
Dell PowerProtect Data Manager:- Before and including 19.15 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.