Search

Find a vulnerability

Search criteria

    19 vulnerabilities found for Envoy by Enphase

    VAR-201902-0281

    Vulnerability from variot - Updated: 2024-11-23 22:55

    A weak password vulnerability was discovered in Enphase Envoy R3... One can login via TCP port 8888 with the admin password for the admin account. Enphase Envoy Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Enphase Envoy is the core home energy control gateway in Enphase Energy's home energy solution. Allows remote attackers to use vulnerabilities to submit special requests and unauthorized access to applications

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201902-0281",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "envoy",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "enphase",
            "version": "3.0.0"
          },
          {
            "model": "envoy",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "enphase",
            "version": "3.9.0"
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "enphase energy",
            "version": "r3"
          },
          {
            "model": "energy enphase envoy",
            "scope": null,
            "trust": 0.6,
            "vendor": "enphase",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-7676"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:enphase:envoy",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          }
        ]
      },
      "cve": "CVE-2019-7676",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "CVE-2019-7676",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "CNVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.0,
                "id": "CNVD-2019-06658",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.2,
                "id": "CVE-2019-7676",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "trust": 1.8,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2019-7676",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2019-7676",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2019-06658",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201902-195",
                "trust": 0.6,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201902-195"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-7676"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account. Enphase Envoy Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Enphase Envoy is the core home energy control gateway in Enphase Energy\u0027s home energy solution. Allows remote attackers to use vulnerabilities to submit special requests and unauthorized access to applications",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2019-7676"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          }
        ],
        "trust": 2.16
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2019-7676",
            "trust": 3.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891",
            "trust": 0.8
          },
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201902-195",
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201902-195"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-7676"
          }
        ]
      },
      "id": "VAR-201902-0281",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          }
        ],
        "trust": 1.6
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          }
        ]
      },
      "last_update_date": "2024-11-23T22:55:39.775000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Top Page",
            "trust": 0.8,
            "url": "https://enphase.com/en-us"
          },
          {
            "title": "Enphase Envoy has weak password vulnerability",
            "trust": 0.6,
            "url": "https://www.cnvd.org.cn/patchInfo/show/153715"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-521",
            "trust": 1.0
          },
          {
            "problemtype": "CWE-255",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-7676"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.4,
            "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt"
          },
          {
            "trust": 2.4,
            "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png"
          },
          {
            "trust": 2.4,
            "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2019-7676"
          },
          {
            "trust": 0.8,
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-7676"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201902-195"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-7676"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201902-195"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-7676"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2019-03-27T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          },
          {
            "date": "2019-03-28T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "date": "2019-02-09T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201902-195"
          },
          {
            "date": "2019-02-09T22:29:00.510000",
            "db": "NVD",
            "id": "CVE-2019-7676"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2019-03-12T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2019-06658"
          },
          {
            "date": "2019-03-28T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          },
          {
            "date": "2020-08-25T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201902-195"
          },
          {
            "date": "2024-11-21T04:48:31.270000",
            "db": "NVD",
            "id": "CVE-2019-7676"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201902-195"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Enphase Envoy Vulnerabilities related to certificate and password management",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-001891"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "trust management problem",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201902-195"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202106-0267

    Vulnerability from variot - Updated: 2024-08-14 15:27

    An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The serial number can be retrieved by an unauthenticated user at /info.xml. Enphase Envoy An unspecified vulnerability exists in the device.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Enphase Energy Envoy is a gateway device used to connect smart home devices from Enphase Energy in the United States.

    Enphase Energy Envoy has security vulnerabilities. No detailed vulnerability details are currently provided

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202106-0267",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "enphase",
            "version": "r3.0"
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "enphase",
            "version": "d4.0"
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "enphase energy",
            "version": "r3.x"
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "enphase energy",
            "version": "d4.x"
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "enphase energy",
            "version": null
          },
          {
            "model": "energy envoy r3.*",
            "scope": null,
            "trust": 0.6,
            "vendor": "enphase",
            "version": null
          },
          {
            "model": "energy envoy d4.*",
            "scope": null,
            "trust": 0.6,
            "vendor": "enphase",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25753"
          }
        ]
      },
      "cve": "CVE-2020-25753",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2020-25753",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 1.9,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CNVD-2021-45766",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2020-25753",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2020-25753",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2020-25753",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "NVD",
                "id": "CVE-2020-25753",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2021-45766",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202106-1346",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULMON",
                "id": "CVE-2020-25753",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-25753"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25753"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. The serial number can be retrieved by an unauthenticated user at /info.xml. Enphase Envoy An unspecified vulnerability exists in the device.Information is obtained, information is tampered with, and service is disrupted  (DoS) It may be put into a state. Enphase Energy Envoy is a gateway device used to connect smart home devices from Enphase Energy in the United States. \n\r\n\r\nEnphase Energy Envoy has security vulnerabilities. No detailed vulnerability details are currently provided",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-25753"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-25753"
          }
        ],
        "trust": 2.25
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2020-25753",
            "trust": 3.9
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489",
            "trust": 0.8
          },
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1346",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-25753",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-25753"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25753"
          }
        ]
      },
      "id": "VAR-202106-0267",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          }
        ],
        "trust": 1.6
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          }
        ]
      },
      "last_update_date": "2024-08-14T15:27:45.111000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Communication",
            "trust": 0.8,
            "url": "https://enphase.com/en-us/products-and-services/envoy-and-combiner"
          },
          {
            "title": "Patch for Enphase Energy Envoy has an unspecified vulnerability (CNVD-2021-45766)",
            "trust": 0.6,
            "url": "https://www.cnvd.org.cn/patchInfo/show/276111"
          },
          {
            "title": "Enphase Envoy Security vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155436"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-noinfo",
            "trust": 1.0
          },
          {
            "problemtype": "Lack of information (CWE-noinfo) [NVD Evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25753"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661a"
          },
          {
            "trust": 1.7,
            "url": "https://stage2sec.com"
          },
          {
            "trust": 1.7,
            "url": "https://enphase.com/en-us/products-and-services/envoy-and-combiner"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-25753"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-25753"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25753"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-25753"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25753"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-06-29T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "date": "2021-06-16T00:00:00",
            "db": "VULMON",
            "id": "CVE-2020-25753"
          },
          {
            "date": "2022-03-17T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "date": "2021-06-16T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          },
          {
            "date": "2021-06-16T19:15:23.380000",
            "db": "NVD",
            "id": "CVE-2020-25753"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-06-29T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2021-45766"
          },
          {
            "date": "2021-06-28T00:00:00",
            "db": "VULMON",
            "id": "CVE-2020-25753"
          },
          {
            "date": "2022-03-17T09:02:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          },
          {
            "date": "2021-06-29T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          },
          {
            "date": "2021-06-28T14:22:52.783000",
            "db": "NVD",
            "id": "CVE-2020-25753"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Enphase\u00a0Envoy\u00a0 Vulnerabilities in devices",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008489"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1346"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202106-0266

    Vulnerability from variot - Updated: 2024-08-14 14:31

    An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passwords for these accounts are hardcoded values derived from the MD5 hash of the username and serial number mixed with some static strings. The serial number can be retrieved by an unauthenticated user at /info.xml. These passwords can be easily calculated by an attacker; users are unable to change these passwords. Enphase Envoy Is vulnerable to the use of hard-coded credentials.Information may be obtained. Enphase Energy Envoy is a gateway device used to connect smart home devices from Enphase Energy in the United States.

    Enphase Energy Envoy has a trust management vulnerability

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202106-0266",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "enphase",
            "version": "r3.0"
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "enphase",
            "version": "d4.0"
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "enphase energy",
            "version": "r3.x"
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "enphase energy",
            "version": null
          },
          {
            "model": "envoy",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "enphase energy",
            "version": "d4.x"
          },
          {
            "model": "energy envoy r3.*",
            "scope": null,
            "trust": 0.6,
            "vendor": "enphase",
            "version": null
          },
          {
            "model": "energy envoy d4.*",
            "scope": null,
            "trust": 0.6,
            "vendor": "enphase",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25752"
          }
        ]
      },
      "cve": "CVE-2020-25752",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2020-25752",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "NONE",
                "baseScore": 5.0,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CNVD-2021-45765",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 3.9,
                "id": "CVE-2020-25752",
                "impactScore": 1.4,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 5.3,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "CVE-2020-25752",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2020-25752",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2020-25752",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2021-45765",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202106-1345",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25752"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passwords for these accounts are hardcoded values derived from the MD5 hash of the username and serial number mixed with some static strings. The serial number can be retrieved by an unauthenticated user at /info.xml. These passwords can be easily calculated by an attacker; users are unable to change these passwords. Enphase Envoy Is vulnerable to the use of hard-coded credentials.Information may be obtained. Enphase Energy Envoy is a gateway device used to connect smart home devices from Enphase Energy in the United States. \n\r\n\r\nEnphase Energy Envoy has a trust management vulnerability",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-25752"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          }
        ],
        "trust": 2.16
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2020-25752",
            "trust": 3.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348",
            "trust": 0.8
          },
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1345",
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25752"
          }
        ]
      },
      "id": "VAR-202106-0266",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          }
        ],
        "trust": 1.6
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          }
        ]
      },
      "last_update_date": "2024-08-14T14:31:43.269000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Communication",
            "trust": 0.8,
            "url": "https://enphase.com/en-us/products-and-services/envoy-and-combiner"
          },
          {
            "title": "Patch for Enphase Energy Envoy trust management issue vulnerability",
            "trust": 0.6,
            "url": "https://www.cnvd.org.cn/patchInfo/show/276106"
          },
          {
            "title": "Enphase Envoy Repair measures for trust management problem vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=155301"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-798",
            "trust": 1.0
          },
          {
            "problemtype": "Using hardcoded credentials (CWE-798) [NVD Evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25752"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.4,
            "url": "https://medium.com/stage-2-security/can-solar-controllers-be-used-to-generate-fake-clean-energy-credits-4a7322e7661a"
          },
          {
            "trust": 1.6,
            "url": "https://stage2sec.com"
          },
          {
            "trust": 1.6,
            "url": "https://enphase.com/en-us/products-and-services/envoy-and-combiner"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-25752"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25752"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-25752"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-06-29T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          },
          {
            "date": "2022-03-14T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "date": "2021-06-16T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          },
          {
            "date": "2021-06-16T19:15:17.470000",
            "db": "NVD",
            "id": "CVE-2020-25752"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-06-29T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2021-45765"
          },
          {
            "date": "2022-03-14T07:16:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          },
          {
            "date": "2021-06-28T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          },
          {
            "date": "2021-06-24T12:08:21.947000",
            "db": "NVD",
            "id": "CVE-2020-25752"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Enphase\u00a0Envoy\u00a0 Vulnerability in Using Hard Coded Credentials",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-008348"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "trust management problem",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202106-1345"
          }
        ],
        "trust": 0.6
      }
    }

    CVE-2024-21881 (GCVE-0-2024-21881)

    Vulnerability from nvd – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x
    Summary
    Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-326 - Inadequate Encryption Strength
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 4.x
    Affected: 5.x
        cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "status": "affected",
                    "version": "4.x"
                  },
                  {
                    "status": "affected",
                    "version": "5.x"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21881",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T16:33:02.874377Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T16:37:24.533Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.\u003cp\u003eThis issue affects Envoy: 4.x and 5.x\u003c/p\u003e"
                }
              ],
              "value": "Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-326",
                  "description": "CWE-326 Inadequate Encryption Strength",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:24.981Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21881"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-6"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21881",
        "datePublished": "2024-08-10T17:44:48.033Z",
        "dateReserved": "2024-01-02T18:30:11.175Z",
        "dateUpdated": "2025-03-11T13:38:24.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21880 (GCVE-0-2024-21880)

    Vulnerability from nvd – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x
    Summary
    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.This issue affects Envoy: 4.x <= 7.x
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 7.x (semver)
    Affected: 6.x (semver)
    Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 4.x , ≤ 7.x (semver)
        cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "lessThanOrEqual": "7.x",
                    "status": "affected",
                    "version": "4.x",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21880",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-13T15:35:30.666411Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-13T15:49:26.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.\u003cp\u003eThis issue affects Envoy: 4.x \u0026lt;= 7.x\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.This issue affects Envoy: 4.x \u003c= 7.x"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:29.210Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21880"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-5"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x \u003c= 7.x",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21880",
        "datePublished": "2024-08-10T17:44:48.465Z",
        "dateReserved": "2024-01-02T18:30:11.175Z",
        "dateUpdated": "2025-03-11T13:38:29.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21879 (GCVE-0-2024-21879)

    Vulnerability from nvd – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225
    Summary
    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 8.x , < 8.2.4225 (semver)
    Affected: 7.x (semver)
    Affected: 6.x (semver)
    Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 4.0 , < 8.2.4225 (semver)
        cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "lessThan": "8.2.4225",
                    "status": "affected",
                    "version": "4.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21879",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T14:15:03.815464Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-13T13:32:41.547Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "lessThan": "8.2.4225",
                  "status": "affected",
                  "version": "8.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "7.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.\u003cp\u003eThis issue affects Envoy: from 4.x to 8.x and \u0026lt; 8.2.4225.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and \u003c 8.2.4225."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:27.809Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21879"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-4"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and \u003c v8.2.4225",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21879",
        "datePublished": "2024-08-10T17:44:49.728Z",
        "dateReserved": "2024-01-02T18:30:11.175Z",
        "dateUpdated": "2025-03-11T13:38:27.809Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21878 (GCVE-0-2024-21878)

    Vulnerability from nvd – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x
    Summary
    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 8.x , < 8.2.4225 (semver)
    Affected: 7.x (semver)
    Affected: 6.x (semver)
    Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 4.0 , < 8.2.4225 (semver)
        cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "lessThan": "8.2.4225",
                    "status": "affected",
                    "version": "4.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21878",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T14:27:02.414547Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T14:30:47.907Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "lessThan": "8.2.4225",
                  "status": "affected",
                  "version": "8.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "7.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.\u003cp\u003eThis issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Chain of CVE-2024-21876, CVE-2024-21877 and CVE-2024-21878"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:31.973Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21878"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-3"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.\u003cbr\u003eThis will ensure that the likelihood of any attacks that can get access to the OS and thus abuse this vulnerability is reduced."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.\nThis will ensure that the likelihood of any attacks that can get access to the OS and thus abuse this vulnerability is reduced."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21878",
        "datePublished": "2024-08-10T17:44:48.892Z",
        "dateReserved": "2024-01-02T18:30:11.174Z",
        "dateUpdated": "2025-03-11T13:38:31.973Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21877 (GCVE-0-2024-21877)

    Vulnerability from nvd – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    Insecure File Generation Based on User Input in Enphase IQ Gateway version 4.x to 8.x and < 8.2.4225
    Summary
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.This issue affects Envoy: from 4.x to 8.0 and < 8.2.4225.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 8.0 , < 8.2.4225 (semver)
    Affected: 7.x (semver)
    Affected: 6.x (semver)
    Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 8.0 , < 8.2.4225 (semver)
    Affected: 7x
    Affected: 6x
    Affected: 5x
    Affected: 4x
        cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "lessThan": "8.2.4225",
                    "status": "affected",
                    "version": "8.0",
                    "versionType": "semver"
                  },
                  {
                    "status": "affected",
                    "version": "7x"
                  },
                  {
                    "status": "affected",
                    "version": "6x"
                  },
                  {
                    "status": "affected",
                    "version": "5x"
                  },
                  {
                    "status": "affected",
                    "version": "4x"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21877",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T12:50:11.563069Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T12:54:56.952Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "lessThan": "8.2.4225",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "7.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.\u003cp\u003eThis issue affects Envoy: from 4.x to 8.0 and\u0026nbsp;\u0026lt; 8.2.4225.\u003c/p\u003e"
                }
              ],
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.This issue affects Envoy: from 4.x to 8.0 and\u00a0\u003c 8.2.4225."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "DIFFUSE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/V:D/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Chain of CVE-2024-21876, CVE-2024-21877 and CVE-2024-21878"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:26.399Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21877"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-2"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "Insecure File Generation Based on User Input in Enphase IQ Gateway version 4.x to 8.x and \u003c 8.2.4225",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21877",
        "datePublished": "2024-08-10T17:44:49.284Z",
        "dateReserved": "2024-01-02T18:30:11.174Z",
        "dateUpdated": "2025-03-11T13:38:26.399Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-7678 (GCVE-0-2019-7678)

    Vulnerability from nvd – Published: 2019-02-09 22:00 – Updated: 2024-08-04 20:54
    VLAI
    Summary
    A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-02-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:54:28.446Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-02-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-09T22:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-7678",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png"
                },
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-7678",
        "datePublished": "2019-02-09T22:00:00.000Z",
        "dateReserved": "2019-02-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T20:54:28.446Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-7677 (GCVE-0-2019-7677)

    Vulnerability from nvd – Published: 2019-02-09 22:00 – Updated: 2024-08-04 20:54
    VLAI
    Summary
    XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-02-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:54:28.302Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS.png"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-02-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-09T22:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS.png"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-7677",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt"
                },
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/XSS.png",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS.png"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-7677",
        "datePublished": "2019-02-09T22:00:00.000Z",
        "dateReserved": "2019-02-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T20:54:28.302Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-7676 (GCVE-0-2019-7676)

    Vulnerability from nvd – Published: 2019-02-09 22:00 – Updated: 2024-08-04 20:54
    VLAI
    Summary
    A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2019-02-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:54:27.999Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-02-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-09T22:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-7676",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png"
                },
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png"
                },
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-7676",
        "datePublished": "2019-02-09T22:00:00.000Z",
        "dateReserved": "2019-02-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T20:54:27.999Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21879 (GCVE-0-2024-21879)

    Vulnerability from cvelistv5 – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225
    Summary
    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 8.x , < 8.2.4225 (semver)
    Affected: 7.x (semver)
    Affected: 6.x (semver)
    Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 4.0 , < 8.2.4225 (semver)
        cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "lessThan": "8.2.4225",
                    "status": "affected",
                    "version": "4.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21879",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T14:15:03.815464Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-13T13:32:41.547Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "lessThan": "8.2.4225",
                  "status": "affected",
                  "version": "8.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "7.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.\u003cp\u003eThis issue affects Envoy: from 4.x to 8.x and \u0026lt; 8.2.4225.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and \u003c 8.2.4225."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:27.809Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21879"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-4"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and \u003c v8.2.4225",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21879",
        "datePublished": "2024-08-10T17:44:49.728Z",
        "dateReserved": "2024-01-02T18:30:11.175Z",
        "dateUpdated": "2025-03-11T13:38:27.809Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21877 (GCVE-0-2024-21877)

    Vulnerability from cvelistv5 – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    Insecure File Generation Based on User Input in Enphase IQ Gateway version 4.x to 8.x and < 8.2.4225
    Summary
    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.This issue affects Envoy: from 4.x to 8.0 and < 8.2.4225.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 8.0 , < 8.2.4225 (semver)
    Affected: 7.x (semver)
    Affected: 6.x (semver)
    Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 8.0 , < 8.2.4225 (semver)
    Affected: 7x
    Affected: 6x
    Affected: 5x
    Affected: 4x
        cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "lessThan": "8.2.4225",
                    "status": "affected",
                    "version": "8.0",
                    "versionType": "semver"
                  },
                  {
                    "status": "affected",
                    "version": "7x"
                  },
                  {
                    "status": "affected",
                    "version": "6x"
                  },
                  {
                    "status": "affected",
                    "version": "5x"
                  },
                  {
                    "status": "affected",
                    "version": "4x"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21877",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T12:50:11.563069Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T12:54:56.952Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "lessThan": "8.2.4225",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "7.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.\u003cp\u003eThis issue affects Envoy: from 4.x to 8.0 and\u0026nbsp;\u0026lt; 8.2.4225.\u003c/p\u003e"
                }
              ],
              "value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability through a url parameter in Enphase IQ Gateway (formerly known as Envoy) allows File Manipulation. The endpoint requires authentication.This issue affects Envoy: from 4.x to 8.0 and\u00a0\u003c 8.2.4225."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-165",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-165 File Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "NOT_DEFINED",
                "Safety": "NEGLIGIBLE",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "DIFFUSE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/V:D/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Chain of CVE-2024-21876, CVE-2024-21877 and CVE-2024-21878"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:26.399Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21877"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-2"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "Insecure File Generation Based on User Input in Enphase IQ Gateway version 4.x to 8.x and \u003c 8.2.4225",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21877",
        "datePublished": "2024-08-10T17:44:49.284Z",
        "dateReserved": "2024-01-02T18:30:11.174Z",
        "dateUpdated": "2025-03-11T13:38:26.399Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21878 (GCVE-0-2024-21878)

    Vulnerability from cvelistv5 – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x
    Summary
    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 8.x , < 8.2.4225 (semver)
    Affected: 7.x (semver)
    Affected: 6.x (semver)
    Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 4.0 , < 8.2.4225 (semver)
        cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "lessThan": "8.2.4225",
                    "status": "affected",
                    "version": "4.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21878",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T14:27:02.414547Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T14:30:47.907Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "lessThan": "8.2.4225",
                  "status": "affected",
                  "version": "8.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "7.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.\u003cp\u003eThis issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "Chain of CVE-2024-21876, CVE-2024-21877 and CVE-2024-21878"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:31.973Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21878"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-3"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "Command Injection through Unsafe File Name Evaluation in internal script in Enphase IQ Gateway v4.x to and including 8.x",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.\u003cbr\u003eThis will ensure that the likelihood of any attacks that can get access to the OS and thus abuse this vulnerability is reduced."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network.\nThis will ensure that the likelihood of any attacks that can get access to the OS and thus abuse this vulnerability is reduced."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21878",
        "datePublished": "2024-08-10T17:44:48.892Z",
        "dateReserved": "2024-01-02T18:30:11.174Z",
        "dateUpdated": "2025-03-11T13:38:31.973Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21880 (GCVE-0-2024-21880)

    Vulnerability from cvelistv5 – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x
    Summary
    Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.This issue affects Envoy: 4.x <= 7.x
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 7.x (semver)
    Affected: 6.x (semver)
    Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 4.x , ≤ 7.x (semver)
        cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "lessThanOrEqual": "7.x",
                    "status": "affected",
                    "version": "4.x",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21880",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-13T15:35:30.666411Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-13T15:49:26.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "6.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.\u003cp\u003eThis issue affects Envoy: 4.x \u0026lt;= 7.x\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027) vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.This issue affects Envoy: 4.x \u003c= 7.x"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:29.210Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21880"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-5"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x \u003c= 7.x",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21880",
        "datePublished": "2024-08-10T17:44:48.465Z",
        "dateReserved": "2024-01-02T18:30:11.175Z",
        "dateUpdated": "2025-03-11T13:38:29.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21881 (GCVE-0-2024-21881)

    Vulnerability from cvelistv5 – Published: 2024-08-10 17:44 – Updated: 2025-03-11 13:38
    VLAI
    Title
    Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x
    Summary
    Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-326 - Inadequate Encryption Strength
    Assigner
    Impacted products
    Vendor Product Version
    Enphase Envoy Affected: 5.x (semver)
    Affected: 4.x (semver)
    Create a notification for this product.
    enphase envoy Affected: 4.x
    Affected: 5.x
        cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-08-10 17:00
    Credits
    Wietse Boonstra (DIVD) Hidde Smit (DIVD) Frank Breedijk (DIVD) Max van der Horst (DIVD)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:enphase:envoy:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "envoy",
                "vendor": "enphase",
                "versions": [
                  {
                    "status": "affected",
                    "version": "4.x"
                  },
                  {
                    "status": "affected",
                    "version": "5.x"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21881",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-12T16:33:02.874377Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-12T16:37:24.533Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envoy",
              "vendor": "Enphase",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.x",
                  "versionType": "semver"
                },
                {
                  "status": "affected",
                  "version": "4.x",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Wietse Boonstra (DIVD)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Hidde Smit (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Frank Breedijk (DIVD)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "Max van der Horst (DIVD)"
            }
          ],
          "datePublic": "2024-08-10T17:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.\u003cp\u003eThis issue affects Envoy: 4.x and 5.x\u003c/p\u003e"
                }
              ],
              "value": "Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-88",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-88 OS Command Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "IRRECOVERABLE",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/S:P/AU:Y/R:I/V:C/RE:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-326",
                  "description": "CWE-326 Inadequate Encryption Strength",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-11T13:38:24.981Z",
            "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
            "shortName": "DIVD"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://csirt.divd.nl/CVE-2024-21881"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://csirt.divd.nl/DIVD-2024-00011"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://enphase.com/cybersecurity/advisories/ensa-2024-6"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Devices are remotely being updated by the vendor."
                }
              ],
              "value": "Devices are remotely being updated by the vendor."
            }
          ],
          "source": {
            "advisory": "DIVD-2024-00011",
            "discovery": "INTERNAL"
          },
          "title": "Upload of encrypted packages allows authenticated command execution in Enphase IQ Gateway v4.x and v5.x",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
                }
              ],
              "value": "It is adviced to not expose this device to untrusted network acces. In other words, make sure this decvice is not reachable from the internet, a guest network or a public network."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
        "assignerShortName": "DIVD",
        "cveId": "CVE-2024-21881",
        "datePublished": "2024-08-10T17:44:48.033Z",
        "dateReserved": "2024-01-02T18:30:11.175Z",
        "dateUpdated": "2025-03-11T13:38:24.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-7678 (GCVE-0-2019-7678)

    Vulnerability from cvelistv5 – Published: 2019-02-09 22:00 – Updated: 2024-08-04 20:54
    VLAI
    Summary
    A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-02-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:54:28.446Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-02-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-09T22:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-7678",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_1.png"
                },
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/directory_traversal_exp.txt"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-7678",
        "datePublished": "2019-02-09T22:00:00.000Z",
        "dateReserved": "2019-02-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T20:54:28.446Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-7677 (GCVE-0-2019-7677)

    Vulnerability from cvelistv5 – Published: 2019-02-09 22:00 – Updated: 2024-08-04 20:54
    VLAI
    Summary
    XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2019-02-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:54:28.302Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS.png"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-02-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-09T22:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS.png"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-7677",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS-exp.txt"
                },
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/XSS.png",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/XSS.png"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-7677",
        "datePublished": "2019-02-09T22:00:00.000Z",
        "dateReserved": "2019-02-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T20:54:28.302Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-7676 (GCVE-0-2019-7676)

    Vulnerability from cvelistv5 – Published: 2019-02-09 22:00 – Updated: 2024-08-04 20:54
    VLAI
    Summary
    A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2019-02-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T20:54:27.999Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-02-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-02-09T22:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-7676",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_1.png"
                },
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password_2.png"
                },
                {
                  "name": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt",
                  "refsource": "MISC",
                  "url": "https://github.com/pudding2/enphase-energy/blob/master/weak_password.txt"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-7676",
        "datePublished": "2019-02-09T22:00:00.000Z",
        "dateReserved": "2019-02-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T20:54:27.999Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }