Dell PowerProtect Data Manager up to 19.18.0-23 escape output
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.3 | $5k-$25k | 0.00 |
Summary
A vulnerability marked as problematic has been reported in Dell PowerProtect Data Manager up to 19.18.0-23. Affected is an unknown function. This manipulation causes escape output. This vulnerability is registered as CVE-2025-23377. Remote exploitation of the attack is possible. No exploit is available.
Details
A vulnerability classified as problematic was found in Dell PowerProtect Data Manager up to 19.18.0-23. Affected by this vulnerability is an unknown code. The manipulation with an unknown input leads to a escape output vulnerability. The CWE definition for the vulnerability is CWE-116. The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. As an impact it is known to affect confidentiality. The summary by CVE is:
Dell PowerProtect Data Manager Reporting, version(s) 19.17, 19.18 contain(s) an Improper Encoding or Escaping of Output vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability to inject arbitrary web script or html in reporting outputs.
It is possible to read the advisory at dell.com. This vulnerability is known as CVE-2025-23377 since 01/15/2025. The exploitation appears to be easy. The attack can be launched remotely. The exploitation requires an enhanced level of successful authentication. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 04/28/2025).
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Be aware that VulDB is the high quality source for vulnerability data.
Product
Vendor
Name
Version
License
Website
- Vendor: https://www.dell.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.3VulDB Meta Temp Score: 3.3
VulDB Base Score: 2.4
VulDB Temp Score: 2.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 4.2
CNA Vector (dell): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Escape outputCWE: CWE-116 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
01/15/2025 🔍04/28/2025 🔍
04/28/2025 🔍
04/28/2025 🔍
Sources
Vendor: dell.comAdvisory: dsa-2025-062
Status: Confirmed
CVE: CVE-2025-23377 (🔍)
GCVE (CVE): GCVE-0-2025-23377
GCVE (VulDB): GCVE-100-306415
Entry
Created: 04/28/2025 17:00Changes: 04/28/2025 17:00 (61)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.