Impact
Dell PowerFlex Manager has an SQL injection vulnerability (CWE‑89) due to improper neutralization of special characters in SQL commands. A low‑privileged attacker with network access adjacent to the manager can inject malicious queries. Exploitation may expose configuration data, user credentials, or other sensitive information from the PowerFlex database, affecting confidentiality.
Affected Systems
Affected product is Dell PowerFlex Manager, versions earlier than 5.1.0.1. The vulnerability exists in all releases identified by Dell as vulnerable in the security update. No other Dell products or vendor releases are impacted.
Risk and Exploitability
The CVSS score of 3.5 indicates low severity, while the EPSS score is below 1%, suggesting a low likelihood of active exploitation. The vulnerability is not listed in CISA KEV catalog. Attack requires a low‑privileged account on a network segment that can reach PowerFlex Manager, limiting the scope to adjacent hosts and not providing remote code execution or denial of service.
OpenCVE Enrichment