CVE-2023-28051

Vulnerability

Dell Power Manager versions 3.10 and prior contain an Improper Access Control vulnerability (CVE-2023-28051). The issue lies in the software's access control mechanisms, which fail to properly enforce restrictions, allowing a low-privileged attacker to interact with functions or objects that should require higher privileges [1].

Exploitation

An attacker with low-privileged user access to the local system can exploit this vulnerability without user interaction (UI:N) and without needing any special timing or race conditions. The attack vector is local (AV:L), and the required privileges are low (PR:L). No network access is needed, and the attack complexity is low (AC:L) [1].

Impact

Successful exploitation allows the attacker to elevate privileges on the system, leading to a full compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS base score is 7.8, indicating high severity [1].

Mitigation

Dell released version 3.11 of Power Manager to address this vulnerability, available for download at the Dell support site [1]. Users should update to version 3.11 or later. No workarounds or mitigations are provided for unpatched versions [1].