The version of Dell Wyse Management Suite installed on the remote host is prior to 4.0. It is, therefore, affected by multiple vulnerabilities as referenced in the DSA-2022-329 advisory.

  - Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does     not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as     demonstrated by nesting of FORM elements. (CVE-2020-26870)

  - The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via     the writeReplace() method in internal classes, which may lead to DoS attacks. (CVE-2022-25647)

  - The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious     XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler     and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being     retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes     (such as OpenJDK) include repackaged copies of Xalan. (CVE-2022-34169)

  - Wyse Management Suite Repository 3.8 and earlier contain an information disclosure vulnerability in error     pages with which an attacker may potentially discover the internal structure of the application and its     components and use this information for further vulnerability research. (CVE-2022-46675)

  - Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. A malicious admin     user may potentially disable or delete users under administration and unassigned admins for which the     group admin is not authorized. (CVE-2022-46676)

  - Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated     malicious admin user may potentially create a subgroup under a group for which the admin is not     authorized. (CVE-2022-46677)

  - Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated     malicious admin user may potentially edit general client policy for which the user is not authorized.
    (CVE-2022-46678, CVE-2022-46755)

  - Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated     malicious admin user may potentially access certain pro license features for which this admin is not     authorized in order to configure user controlled external entities. (CVE-2022-46754)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Dell Wyse Management Suite < 4.0 Multiple Vulnerabilities (DSA-2022-329)

high Nessus Plugin ID 168926

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Sep 12, 2023, 2:08 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") Plugin Feed: 202309121408
Version 1.2 Dec 20, 2022, 9:43 PM Reference Plugin Feed: 202212202143
Version 1.1 Dec 20, 2022, 1:54 PM Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202212201354
Version 1.0 Dec 19, 2022, 11:49 PM New Plugin Feed: 202212192349