Vulnerability-Lookup

CVE-2024-39586 (GCVE-0-2024-39586)

Vulnerability from cvelistv5 – Published: 2024-10-09 06:48 – Updated: 2024-10-09 13:25

Summary

Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.

Severity

2.9 (Low)


                        
                          CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Assigner

dell

References

1 reference

URL	Tags
https://www.dell.com/support/kbdoc/en-us/00023421…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Dell	AppSync	Affected: 4.3.0.0 , ≤ 4.6.0.0 (semver)

Date Public

2024-10-09 05:30

Credits

Dell would like to thank B4gpipe for reporting this issue

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-39586",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-09T13:17:14.146159Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-09T13:25:52.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "AppSync",
          "vendor": "Dell",
          "versions": [
            {
              "lessThanOrEqual": "4.6.0.0",
              "status": "affected",
              "version": "4.3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dell would like to thank B4gpipe for reporting this issue"
        }
      ],
      "datePublic": "2024-10-09T05:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure."
            }
          ],
          "value": "Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-09T06:48:53.639Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2024-39586",
    "datePublished": "2024-10-09T06:48:53.639Z",
    "dateReserved": "2024-06-26T02:16:08.993Z",
    "dateUpdated": "2024-10-09T13:25:52.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-39586",
      "date": "2026-05-28",
      "epss": "0.00049",
      "percentile": "0.15722"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dell:emc_appsync:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.3.0.0\", \"versionEndExcluding\": \"4.6.0.3\", \"matchCriteriaId\": \"47576435-9C88-45D1-98C1-998FA0E69808\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.\"}, {\"lang\": \"es\", \"value\": \"Dell AppSync Server, versi\\u00f3n 4.3 a 4.6, contiene una vulnerabilidad de inyecci\\u00f3n de entidad externa XML. Un atacante adyacente con privilegios elevados podr\\u00eda aprovechar esta vulnerabilidad, lo que dar\\u00eda lugar a la divulgaci\\u00f3n de informaci\\u00f3n.\"}]",
      "id": "CVE-2024-39586",
      "lastModified": "2024-10-17T14:30:02.843",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security_alert@emc.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L\", \"baseScore\": 2.9, \"baseSeverity\": \"LOW\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 0.4, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.7, \"impactScore\": 3.6}]}",
      "published": "2024-10-09T07:15:09.473",
      "references": "[{\"url\": \"https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities\", \"source\": \"security_alert@emc.com\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security_alert@emc.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security_alert@emc.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-39586\",\"sourceIdentifier\":\"security_alert@emc.com\",\"published\":\"2024-10-09T07:15:09.473\",\"lastModified\":\"2024-10-17T14:30:02.843\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.\"},{\"lang\":\"es\",\"value\":\"Dell AppSync Server, versi\u00f3n 4.3 a 4.6, contiene una vulnerabilidad de inyecci\u00f3n de entidad externa XML. Un atacante adyacente con privilegios elevados podr\u00eda aprovechar esta vulnerabilidad, lo que dar\u00eda lugar a la divulgaci\u00f3n de informaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security_alert@emc.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L\",\"baseScore\":2.9,\"baseSeverity\":\"LOW\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.4,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.7,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security_alert@emc.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dell:emc_appsync:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.3.0.0\",\"versionEndExcluding\":\"4.6.0.3\",\"matchCriteriaId\":\"47576435-9C88-45D1-98C1-998FA0E69808\"}]}]}],\"references\":[{\"url\":\"https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities\",\"source\":\"security_alert@emc.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39586\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-09T13:17:14.146159Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-09T13:25:46.160Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Dell would like to thank B4gpipe for reporting this issue\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.9, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Dell\", \"product\": \"AppSync\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.3.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.6.0.0\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-10-09T05:30:00.000Z\", \"references\": [{\"url\": \"https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"c550e75a-17ff-4988-97f0-544cde3820fe\", \"shortName\": \"dell\", \"dateUpdated\": \"2024-10-09T06:48:53.639Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-39586\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-09T13:25:52.908Z\", \"dateReserved\": \"2024-06-26T02:16:08.993Z\", \"assignerOrgId\": \"c550e75a-17ff-4988-97f0-544cde3820fe\", \"datePublished\": \"2024-10-09T06:48:53.639Z\", \"assignerShortName\": \"dell\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2025-15009

Vulnerability from cnvd - Published: 2025-07-03

Title

Dell AppSync Server XML外部实体注入漏洞

Description

Dell AppSync Server是美国戴尔（Dell）公司的一个拷贝数据管理软件。 Dell AppSync Server 4.3至4.6版本存在XML外部实体注入漏洞，该漏洞源于网络系统或产品未设置正确的过滤允许引用外部实体，攻击者可利用该漏洞通过发送特制的XML文件读取文件。

Severity

中

Patch Name

Dell AppSync Server XML外部实体注入漏洞的补丁

Patch Description

Dell AppSync Server是美国戴尔（Dell）公司的一个拷贝数据管理软件。 Dell AppSync Server 4.3至4.6版本存在XML外部实体注入漏洞，该漏洞源于网络系统或产品未设置正确的过滤允许引用外部实体，攻击者可利用该漏洞通过发送特制的XML文件读取文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-39586

Impacted products

Name
DELL Dell AppSync Server >=4.3，<=4.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-39586",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-39586"
    }
  },
  "description": "Dell AppSync Server\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u62f7\u8d1d\u6570\u636e\u7ba1\u7406\u8f6f\u4ef6\u3002\n\nDell AppSync Server 4.3\u81f34.6\u7248\u672c\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u8bbe\u7f6e\u6b63\u786e\u7684\u8fc7\u6ee4\u5141\u8bb8\u5f15\u7528\u5916\u90e8\u5b9e\u4f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u7279\u5236\u7684XML\u6587\u4ef6\u8bfb\u53d6\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-15009",
  "openTime": "2025-07-03",
  "patchDescription": "Dell AppSync Server\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u62f7\u8d1d\u6570\u636e\u7ba1\u7406\u8f6f\u4ef6\u3002\r\n\r\nDell AppSync Server 4.3\u81f34.6\u7248\u672c\u5b58\u5728XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u8bbe\u7f6e\u6b63\u786e\u7684\u8fc7\u6ee4\u5141\u8bb8\u5f15\u7528\u5916\u90e8\u5b9e\u4f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u7279\u5236\u7684XML\u6587\u4ef6\u8bfb\u53d6\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Dell AppSync Server XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "DELL Dell AppSync Server \u003e=4.3\uff0c\u003c=4.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-39586",
  "serverity": "\u4e2d",
  "submitTime": "2024-10-17",
  "title": "Dell AppSync Server XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e"
}

FKIE_CVE-2024-39586

Vulnerability from fkie_nvd - Published: 2024-10-09 07:15 - Updated: 2024-10-17 14:30

Severity

2.9 (Low) - CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security_alert@emc.com	https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities	Vendor Advisory

Impacted products

	Vendor	Product	Version
	dell	emc_appsync	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dell:emc_appsync:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47576435-9C88-45D1-98C1-998FA0E69808",
              "versionEndExcluding": "4.6.0.3",
              "versionStartIncluding": "4.3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure."
    },
    {
      "lang": "es",
      "value": "Dell AppSync Server, versi\u00f3n 4.3 a 4.6, contiene una vulnerabilidad de inyecci\u00f3n de entidad externa XML. Un atacante adyacente con privilegios elevados podr\u00eda aprovechar esta vulnerabilidad, lo que dar\u00eda lugar a la divulgaci\u00f3n de informaci\u00f3n."
    }
  ],
  "id": "CVE-2024-39586",
  "lastModified": "2024-10-17T14:30:02.843",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 2.9,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 0.4,
        "impactScore": 2.5,
        "source": "security_alert@emc.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-09T07:15:09.473",
  "references": [
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities"
    }
  ],
  "sourceIdentifier": "security_alert@emc.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "security_alert@emc.com",
      "type": "Secondary"
    }
  ]
}

GHSA-XX6G-8FH5-HQ6C

Vulnerability from github – Published: 2024-10-09 09:31 – Updated: 2024-10-09 09:31

Details

Severity

2.9 (Low)


                  
                    CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-39586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-09T07:15:09Z",
    "severity": "LOW"
  },
  "details": "Dell AppSync Server, version 4.3 through 4.6, contains an XML External Entity Injection vulnerability. An adjacent high privileged attacker could potentially exploit this vulnerability, leading to information disclosure.",
  "id": "GHSA-xx6g-8fh5-hq6c",
  "modified": "2024-10-09T09:31:35Z",
  "published": "2024-10-09T09:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39586"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000234216/dsa-2024-420-security-update-for-dell-emc-appsync-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-39586 (GCVE-0-2024-39586)

CNVD-2025-15009

FKIE_CVE-2024-39586

GHSA-XX6G-8FH5-HQ6C

Tags

Sightings

Nomenclature