CVE-2022-34366

Vulnerability

Dell SupportAssist for Home PCs (version 3.11.2 and prior) contains an Overly Permissive Cross-domain Whitelist vulnerability [1]. This flaw exists in the component that manages cross-domain communication whitelists, allowing domains that should be restricted to be included. An authenticated non-admin user can exploit this to access sensitive data.

Exploitation

An attacker must be authenticated as a non-admin user on the affected system [1]. No special privileges or user interaction beyond authentication is required. The attacker can leverage the overly permissive whitelist to make cross-domain requests that retrieve information from protected resources.

Impact

Successful exploitation leads to the disclosure of sensitive information [1]. The CVSS v3.1 base score is not provided for this specific CVE, but the vector indicates local access with low privileges and low complexity, resulting in a confidentiality impact (High) with no integrity or availability impact. The attacker gains access to data they are not authorized to view.

Mitigation

Dell released an update in DSA-2022-190 to address this vulnerability [1]. Users should upgrade SupportAssist for Home PCs to a version later than 3.11.2. No workarounds are mentioned in the available reference.