GMS ECM Multiple Vulnerabilities

SonicWall GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions are vulnerable to the following security issues.

1) CVE-2024-29010 - GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability.
The XML document processed in the GMS ECM endpoint is vulnerable to XML external entity (XXE) injection vulnerability leading to information disclosure.
CVSS Score: 7.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE-611: Improper Restriction of XML External Entity Reference

2) CVE-2024-29011 - GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability.
Use of hard-coded password in the GMS ECM endpoint leading to authentication bypass vulnerability.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-259: Use of Hard-coded Password

To learn more please visit https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0007.