Search
Find a vulnerability
Search criteria
10 vulnerabilities found for CyberPower PowerPanel Enterprise by CyberPower
CVE-2024-32739 (GCVE-0-2024-32739)
Vulnerability from nvd – Published: 2024-05-09 14:58 – Updated: 2025-03-28 19:02
VLAI
Title
CyberPower PowerPanel Enterprise SQL Injection
Summary
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_verbose" function within MCUDBHelper.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(custom)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32739",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T17:27:43.196774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T19:02:37.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_verbose\" function within MCUDBHelper.\u003cbr\u003e"
}
],
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_verbose\" function within MCUDBHelper.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:58:30.263Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32739",
"datePublished": "2024-05-09T14:58:30.263Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2025-03-28T19:02:37.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32738 (GCVE-0-2024-32738)
Vulnerability from nvd – Published: 2024-05-09 14:58 – Updated: 2024-08-02 02:20
VLAI
Title
CyberPower PowerPanel Enterprise SQL Injection
Summary
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(semver)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T19:31:56.799538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:01.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.332Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_lean\" function within MCUDBHelper.\u003cbr\u003e"
}
],
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_lean\" function within MCUDBHelper.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:58:13.209Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32738",
"datePublished": "2024-05-09T14:58:13.209Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2024-08-02T02:20:35.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32737 (GCVE-0-2024-32737)
Vulnerability from nvd – Published: 2024-05-09 14:57 – Updated: 2024-08-02 02:20
VLAI
Title
CyberPower PowerPanel Enterprise SQL Injection
Summary
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(custom)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32737",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T17:22:26.942838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:42.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\u003cbr\u003e"
}
],
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:57:57.579Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32737",
"datePublished": "2024-05-09T14:57:57.579Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2024-08-02T02:20:35.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32736 (GCVE-0-2024-32736)
Vulnerability from nvd – Published: 2024-05-09 14:57 – Updated: 2025-03-25 18:10
VLAI
Title
CyberPower PowerPanel Enterprise SQL Injection
Summary
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(custom)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32736",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T18:44:47.600450Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T18:10:55.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_utask_verbose\" function within MCUDBHelper.\u003cbr\u003e"
}
],
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_utask_verbose\" function within MCUDBHelper.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:57:38.850Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32736",
"datePublished": "2024-05-09T14:57:38.850Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2025-03-25T18:10:55.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32735 (GCVE-0-2024-32735)
Vulnerability from nvd – Published: 2024-05-09 14:54 – Updated: 2024-08-02 02:20
VLAI
Title
CyberPower PowerPanel Enterprise Missing Authentication
Summary
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(custom)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32735",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-04T19:45:38.473682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T19:52:06.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "ADP Container"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application."
}
],
"value": "An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:54:45.407Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise Missing Authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32735",
"datePublished": "2024-05-09T14:54:45.407Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2024-08-02T02:20:35.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32739 (GCVE-0-2024-32739)
Vulnerability from cvelistv5 – Published: 2024-05-09 14:58 – Updated: 2025-03-28 19:02
VLAI
Title
CyberPower PowerPanel Enterprise SQL Injection
Summary
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_verbose" function within MCUDBHelper.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(custom)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32739",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T17:27:43.196774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T19:02:37.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_verbose\" function within MCUDBHelper.\u003cbr\u003e"
}
],
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_verbose\" function within MCUDBHelper.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:58:30.263Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32739",
"datePublished": "2024-05-09T14:58:30.263Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2025-03-28T19:02:37.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32738 (GCVE-0-2024-32738)
Vulnerability from cvelistv5 – Published: 2024-05-09 14:58 – Updated: 2024-08-02 02:20
VLAI
Title
CyberPower PowerPanel Enterprise SQL Injection
Summary
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(semver)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T19:31:56.799538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:01.621Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.332Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_lean\" function within MCUDBHelper.\u003cbr\u003e"
}
],
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_lean\" function within MCUDBHelper.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:58:13.209Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32738",
"datePublished": "2024-05-09T14:58:13.209Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2024-08-02T02:20:35.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32737 (GCVE-0-2024-32737)
Vulnerability from cvelistv5 – Published: 2024-05-09 14:57 – Updated: 2024-08-02 02:20
VLAI
Title
CyberPower PowerPanel Enterprise SQL Injection
Summary
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(custom)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32737",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T17:22:26.942838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:42.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\u003cbr\u003e"
}
],
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:57:57.579Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32737",
"datePublished": "2024-05-09T14:57:57.579Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2024-08-02T02:20:35.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32736 (GCVE-0-2024-32736)
Vulnerability from cvelistv5 – Published: 2024-05-09 14:57 – Updated: 2025-03-25 18:10
VLAI
Title
CyberPower PowerPanel Enterprise SQL Injection
Summary
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(custom)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32736",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T18:44:47.600450Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T18:10:55.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_utask_verbose\" function within MCUDBHelper.\u003cbr\u003e"
}
],
"value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_utask_verbose\" function within MCUDBHelper.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:57:38.850Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32736",
"datePublished": "2024-05-09T14:57:38.850Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2025-03-25T18:10:55.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32735 (GCVE-0-2024-32735)
Vulnerability from cvelistv5 – Published: 2024-05-09 14:54 – Updated: 2024-08-02 02:20
VLAI
Title
CyberPower PowerPanel Enterprise Missing Authentication
Summary
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| CyberPower | CyberPower PowerPanel Enterprise |
Affected:
0 , < 2.8.3
(custom)
|
|
| cyberpower | powerpanel_enterprise |
Affected:
0 , < 2.8.3
(custom)
cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "powerpanel_enterprise",
"vendor": "cyberpower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32735",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-04T19:45:38.473682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T19:52:06.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "ADP Container"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CyberPower PowerPanel Enterprise",
"vendor": "CyberPower",
"versions": [
{
"lessThan": "2.8.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application."
}
],
"value": "An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-09T14:54:45.407Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://www.tenable.com/security/research/tra-2024-14"
},
{
"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CyberPower PowerPanel Enterprise Missing Authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-32735",
"datePublished": "2024-05-09T14:54:45.407Z",
"dateReserved": "2024-04-17T11:47:39.834Z",
"dateUpdated": "2024-08-02T02:20:35.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}