Search

Find a vulnerability

Search criteria

    32 vulnerabilities found for powerpanel by cyberpower

    CVE-2024-34025 (GCVE-0-2024-34025)

    Vulnerability from nvd – Published: 2024-05-15 19:17 – Updated: 2024-08-02 02:42
    VLAI
    Title
    CyberPower PowerPanel business Use of Hard-coded Password
    Summary
    CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-34025",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T15:23:17.392578Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:41:18.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:42:59.906Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\nCyberPower PowerPanel business application code contains a hard-coded set of authentication \ncredentials. This could result in an attacker bypassing authentication \nand gaining administrator privileges.\n\n"
                }
              ],
              "value": "CyberPower PowerPanel business application code contains a hard-coded set of authentication \ncredentials. This could result in an attacker bypassing authentication \nand gaining administrator privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-259",
                  "description": "CWE-259",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:17:37.188Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Use of Hard-coded Password",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-34025",
        "datePublished": "2024-05-15T19:17:37.188Z",
        "dateReserved": "2024-04-29T16:47:22.329Z",
        "dateUpdated": "2024-08-02T02:42:59.906Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-33625 (GCVE-0-2024-33625)

    Vulnerability from nvd – Published: 2024-05-15 19:19 – Updated: 2024-08-02 02:36
    VLAI
    Title
    CyberPower PowerPanel business Use of Hard-coded Password
    Summary
    CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-33625",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T18:45:00.332821Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:45:30.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:36:04.325Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\nCyberPower PowerPanel business \napplication code contains a hard-coded JWT signing key. This could \nresult in an attacker forging JWT tokens to bypass authentication.\n\n"
                }
              ],
              "value": "CyberPower PowerPanel business \napplication code contains a hard-coded JWT signing key. This could \nresult in an attacker forging JWT tokens to bypass authentication."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-259",
                  "description": "CWE-259",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:19:53.960Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Use of Hard-coded Password",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-33625",
        "datePublished": "2024-05-15T19:19:53.960Z",
        "dateReserved": "2024-04-29T16:47:22.341Z",
        "dateUpdated": "2024-08-02T02:36:04.325Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32053 (GCVE-0-2024-32053)

    Vulnerability from nvd – Published: 2024-05-15 19:34 – Updated: 2024-08-02 02:06
    VLAI
    Title
    CyberPower PowerPanel business Use of Hard-coded Credentials
    Summary
    Hard-coded credentials are used by the  CyberPower PowerPanel platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel business application.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32053",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T15:58:18.805976Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:51:38.726Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:06:43.251Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hard-coded credentials are used by the\u0026nbsp;\nCyberPower PowerPanel \n\n platform to authenticate to the \ndatabase, other services, and the cloud. This could result in an \nattacker gaining access to services with the privileges of a Powerpanel \nbusiness application.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Hard-coded credentials are used by the\u00a0\nCyberPower PowerPanel \n\n platform to authenticate to the \ndatabase, other services, and the cloud. This could result in an \nattacker gaining access to services with the privileges of a Powerpanel \nbusiness application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:34:30.153Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Use of Hard-coded Credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-32053",
        "datePublished": "2024-05-15T19:34:30.153Z",
        "dateReserved": "2024-04-29T16:47:22.358Z",
        "dateUpdated": "2024-08-02T02:06:43.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32047 (GCVE-0-2024-32047)

    Vulnerability from nvd – Published: 2024-05-15 19:36 – Updated: 2024-08-02 02:06
    VLAI
    Title
    CyberPower PowerPanel business Active Debug Code
    Summary
    Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32047",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T18:13:39.475129Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:50:55.367Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:06:43.550Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hard-coded credentials for the \nCyberPower PowerPanel test server can be found in the \nproduction code. This might result in an attacker gaining access to the \ntesting or production server.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Hard-coded credentials for the \nCyberPower PowerPanel test server can be found in the \nproduction code. This might result in an attacker gaining access to the \ntesting or production server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-489",
                  "description": "CWE-489",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:36:41.936Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Active Debug Code",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-32047",
        "datePublished": "2024-05-15T19:36:41.936Z",
        "dateReserved": "2024-04-29T16:47:22.349Z",
        "dateUpdated": "2024-08-02T02:06:43.550Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32042 (GCVE-0-2024-32042)

    Vulnerability from nvd – Published: 2024-05-15 19:39 – Updated: 2024-08-02 02:06
    VLAI
    Title
    CyberPower PowerPanel business Storing Passwords in a Recoverable Format
    Summary
    The key used to encrypt passwords stored in the database can be found in the CyberPower PowerPanel application code, allowing the passwords to be recovered.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32042",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-24T18:50:17.986724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:51:52.502Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:06:43.266Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\nThe key used to encrypt passwords stored in the database can be found in\n the \nCyberPower PowerPanel\n\napplication code, allowing the passwords to be recovered.\n\n\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "The key used to encrypt passwords stored in the database can be found in\n the \nCyberPower PowerPanel\n\napplication code, allowing the passwords to be recovered."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-257",
                  "description": "CWE-257",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:39:08.086Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Storing Passwords in a Recoverable Format",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-32042",
        "datePublished": "2024-05-15T19:39:08.086Z",
        "dateReserved": "2024-04-29T16:47:22.354Z",
        "dateUpdated": "2024-08-02T02:06:43.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31856 (GCVE-0-2024-31856)

    Vulnerability from nvd – Published: 2024-05-15 19:52 – Updated: 2024-08-02 01:59
    VLAI
    Title
    CyberPower PowerPanel business SQL Injection
    Summary
    An attacker with certain MQTT permissions can create malicious messages to all CyberPower PowerPanel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31856",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T18:07:00.379722Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:36:10.715Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:59:49.843Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\n\nAn attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode.\n\n\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "An attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:52:37.407Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-31856",
        "datePublished": "2024-05-15T19:52:37.407Z",
        "dateReserved": "2024-04-29T16:47:22.333Z",
        "dateUpdated": "2024-08-02T01:59:49.843Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31410 (GCVE-0-2024-31410)

    Vulnerability from nvd – Published: 2024-05-15 19:56 – Updated: 2024-08-02 01:52
    VLAI
    Title
    CyberPower PowerPanel business Use of Hard-coded Cryptographic Key
    Summary
    The devices which CyberPower PowerPanel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31410",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T19:10:08.503295Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:36:22.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:52:56.912Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\n\n\nThe devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data.\n\n\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "The devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:56:00.616Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Use of Hard-coded Cryptographic Key",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-31410",
        "datePublished": "2024-05-15T19:56:00.616Z",
        "dateReserved": "2024-04-29T16:47:22.319Z",
        "dateUpdated": "2024-08-02T01:52:56.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31409 (GCVE-0-2024-31409)

    Vulnerability from nvd – Published: 2024-05-15 20:00 – Updated: 2025-08-07 18:26
    VLAI
    Title
    CyberPower PowerPanel business Incorrect Authorization
    Summary
    Certain MQTT wildcards are not blocked on the CyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31409",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-24T18:48:30.373199Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:36:52.524Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:52:56.873Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\n\nCertain MQTT wildcards are not blocked on the \nCyberPower PowerPanel\n\nsystem, which might result in an attacker obtaining data from throughout the system after gaining access to any device.\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Certain MQTT wildcards are not blocked on the \nCyberPower PowerPanel\n\nsystem, which might result in an attacker obtaining data from throughout the system after gaining access to any device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-07T18:26:54.578Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Incorrect Authorization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-31409",
        "datePublished": "2024-05-15T20:00:22.532Z",
        "dateReserved": "2024-04-29T16:47:22.337Z",
        "dateUpdated": "2025-08-07T18:26:54.578Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32739 (GCVE-0-2024-32739)

    Vulnerability from nvd – Published: 2024-05-09 14:58 – Updated: 2025-03-28 19:02
    VLAI Shadowserver
    Title
    CyberPower PowerPanel Enterprise SQL Injection
    Summary
    A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_verbose" function within MCUDBHelper.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (custom)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32739",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-09T17:27:43.196774Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T19:02:37.662Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.176Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_verbose\" function within MCUDBHelper.\u003cbr\u003e"
                }
              ],
              "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_verbose\" function within MCUDBHelper.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:58:30.263Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32739",
        "datePublished": "2024-05-09T14:58:30.263Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2025-03-28T19:02:37.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32738 (GCVE-0-2024-32738)

    Vulnerability from nvd – Published: 2024-05-09 14:58 – Updated: 2024-08-02 02:20
    Title
    CyberPower PowerPanel Enterprise SQL Injection
    Summary
    A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (semver)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32738",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-09T19:31:56.799538Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:50:01.621Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.332Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_lean\" function within MCUDBHelper.\u003cbr\u003e"
                }
              ],
              "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_lean\" function within MCUDBHelper.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:58:13.209Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32738",
        "datePublished": "2024-05-09T14:58:13.209Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2024-08-02T02:20:35.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32737 (GCVE-0-2024-32737)

    Vulnerability from nvd – Published: 2024-05-09 14:57 – Updated: 2024-08-02 02:20
    VLAI Shadowserver
    Title
    CyberPower PowerPanel Enterprise SQL Injection
    Summary
    A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (custom)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32737",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-09T17:22:26.942838Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:51:42.633Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.316Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\u003cbr\u003e"
                }
              ],
              "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:57:57.579Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32737",
        "datePublished": "2024-05-09T14:57:57.579Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2024-08-02T02:20:35.316Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32736 (GCVE-0-2024-32736)

    Vulnerability from nvd – Published: 2024-05-09 14:57 – Updated: 2025-03-25 18:10
    VLAI Shadowserver
    Title
    CyberPower PowerPanel Enterprise SQL Injection
    Summary
    A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (custom)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32736",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-29T18:44:47.600450Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-25T18:10:55.407Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.213Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_utask_verbose\" function within MCUDBHelper.\u003cbr\u003e"
                }
              ],
              "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_utask_verbose\" function within MCUDBHelper.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:57:38.850Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32736",
        "datePublished": "2024-05-09T14:57:38.850Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2025-03-25T18:10:55.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32735 (GCVE-0-2024-32735)

    Vulnerability from nvd – Published: 2024-05-09 14:54 – Updated: 2024-08-02 02:20
    Title
    CyberPower PowerPanel Enterprise Missing Authentication
    Summary
    An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (custom)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32735",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-04T19:45:38.473682Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-306",
                    "description": "CWE-306 Missing Authentication for Critical Function",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T19:52:06.138Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "ADP Container"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.343Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application."
                }
              ],
              "value": "An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:54:45.407Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise Missing Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32735",
        "datePublished": "2024-05-09T14:54:45.407Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2024-08-02T02:20:35.343Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25133 (GCVE-0-2023-25133)

    Vulnerability from nvd – Published: 2023-04-24 00:00 – Updated: 2025-02-04 17:22
    VLAI
    Title
    Improper privilege management vulnerability in CyberPower PowerPanel Business
    Summary
    Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel Business Local / Remote Affected: unspecified , ≤ v4.8.6 (custom)
    Create a notification for this product.
    CyberPower PowerPanel Business Management Affected: unspecified , ≤ v4.8.6 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:35.307Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://zuso.ai/Advisory/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25133",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T17:22:25.498117Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-04T17:22:44.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Windows, MacOS, Linux"
              ],
              "product": "PowerPanel Business Local / Remote",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThanOrEqual": "v4.8.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "Windows, MacOS, Linux"
              ],
              "product": "PowerPanel Business Management",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThanOrEqual": "v4.8.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-24T00:00:00.000Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "url": "https://zuso.ai/Advisory/"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
            }
          ],
          "source": {
            "defect": [
              "ZA-2023-03"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Improper privilege management vulnerability in CyberPower PowerPanel Business",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2023-25133",
        "datePublished": "2023-04-24T00:00:00.000Z",
        "dateReserved": "2023-02-02T00:00:00.000Z",
        "dateUpdated": "2025-02-04T17:22:44.012Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25132 (GCVE-0-2023-25132)

    Vulnerability from nvd – Published: 2023-04-24 00:00 – Updated: 2025-02-04 17:25
    VLAI
    Title
    Unrestricted upload of file with dangerous type vulnerability in CyberPower PowerPanel Business
    Summary
    Unrestricted upload of file with dangerous type vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-434 - Unrestricted Upload of File with Dangerous Type
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel Business Local / Remote Affected: unspecified , ≤ v4.8.6 (custom)
    Create a notification for this product.
    CyberPower PowerPanel Business Management Affected: unspecified , ≤ v4.8.6 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:35.973Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://zuso.ai/Advisory/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25132",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T17:25:10.879424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-04T17:25:19.666Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Windows, MacOS, Linux"
              ],
              "product": "PowerPanel Business Local / Remote",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThanOrEqual": "v4.8.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "Windows, MacOS, Linux"
              ],
              "product": "PowerPanel Business Management",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThanOrEqual": "v4.8.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Unrestricted upload of file with dangerous type vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to execute operation system commands via unspecified vectors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-24T00:00:00.000Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "url": "https://zuso.ai/Advisory/"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
            }
          ],
          "source": {
            "defect": [
              "ZA-2023-02"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Unrestricted upload of file with dangerous type vulnerability in CyberPower PowerPanel Business",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2023-25132",
        "datePublished": "2023-04-24T00:00:00.000Z",
        "dateReserved": "2023-02-02T00:00:00.000Z",
        "dateUpdated": "2025-02-04T17:25:19.666Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25131 (GCVE-0-2023-25131)

    Vulnerability from nvd – Published: 2023-04-24 00:00 – Updated: 2025-02-04 17:25
    VLAI
    Title
    Use of default password vulnerability in CyberPower PowerPanel Business
    Summary
    Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the 'admin' password.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel Business Local / Remote Affected: unspecified , ≤ v4.8.6 (custom)
    Create a notification for this product.
    CyberPower PowerPanel Business Management Affected: unspecified , ≤ v4.8.6 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:35.329Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://zuso.ai/Advisory/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25131",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T17:25:46.888522Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-04T17:25:51.219Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "windows, MacOS, Linux"
              ],
              "product": "PowerPanel Business Local / Remote",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThanOrEqual": "v4.8.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "windows, MacOS, Linux"
              ],
              "product": "PowerPanel Business Management",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThanOrEqual": "v4.8.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the \u0027admin\u0027 password."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1393",
                  "description": "CWE-1393 Use of Default Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-24T00:00:00.000Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "url": "https://zuso.ai/Advisory/"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
            }
          ],
          "source": {
            "defect": [
              "ZA-2023-01"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Use of default password vulnerability in CyberPower PowerPanel Business",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2023-25131",
        "datePublished": "2023-04-24T00:00:00.000Z",
        "dateReserved": "2023-02-02T00:00:00.000Z",
        "dateUpdated": "2025-02-04T17:25:51.219Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31409 (GCVE-0-2024-31409)

    Vulnerability from cvelistv5 – Published: 2024-05-15 20:00 – Updated: 2025-08-07 18:26
    VLAI
    Title
    CyberPower PowerPanel business Incorrect Authorization
    Summary
    Certain MQTT wildcards are not blocked on the CyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31409",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-24T18:48:30.373199Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:36:52.524Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:52:56.873Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\n\nCertain MQTT wildcards are not blocked on the \nCyberPower PowerPanel\n\nsystem, which might result in an attacker obtaining data from throughout the system after gaining access to any device.\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "Certain MQTT wildcards are not blocked on the \nCyberPower PowerPanel\n\nsystem, which might result in an attacker obtaining data from throughout the system after gaining access to any device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-07T18:26:54.578Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Incorrect Authorization",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-31409",
        "datePublished": "2024-05-15T20:00:22.532Z",
        "dateReserved": "2024-04-29T16:47:22.337Z",
        "dateUpdated": "2025-08-07T18:26:54.578Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31410 (GCVE-0-2024-31410)

    Vulnerability from cvelistv5 – Published: 2024-05-15 19:56 – Updated: 2024-08-02 01:52
    VLAI
    Title
    CyberPower PowerPanel business Use of Hard-coded Cryptographic Key
    Summary
    The devices which CyberPower PowerPanel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31410",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T19:10:08.503295Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:36:22.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:52:56.912Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\n\n\nThe devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data.\n\n\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "The devices which CyberPower PowerPanel manages use identical certificates based on a \nhard-coded cryptographic key. This can allow an attacker to impersonate \nany client in the system and send malicious data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:56:00.616Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Use of Hard-coded Cryptographic Key",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-31410",
        "datePublished": "2024-05-15T19:56:00.616Z",
        "dateReserved": "2024-04-29T16:47:22.319Z",
        "dateUpdated": "2024-08-02T01:52:56.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-31856 (GCVE-0-2024-31856)

    Vulnerability from cvelistv5 – Published: 2024-05-15 19:52 – Updated: 2024-08-02 01:59
    VLAI
    Title
    CyberPower PowerPanel business SQL Injection
    Summary
    An attacker with certain MQTT permissions can create malicious messages to all CyberPower PowerPanel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-31856",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T18:07:00.379722Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:36:10.715Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:59:49.843Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\n\nAn attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode.\n\n\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "An attacker with certain MQTT permissions can create malicious messages \nto all CyberPower PowerPanel devices. This could result in an attacker injecting \nSQL syntax, writing arbitrary files to the system, and executing remote \ncode."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:52:37.407Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-31856",
        "datePublished": "2024-05-15T19:52:37.407Z",
        "dateReserved": "2024-04-29T16:47:22.333Z",
        "dateUpdated": "2024-08-02T01:59:49.843Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32042 (GCVE-0-2024-32042)

    Vulnerability from cvelistv5 – Published: 2024-05-15 19:39 – Updated: 2024-08-02 02:06
    VLAI
    Title
    CyberPower PowerPanel business Storing Passwords in a Recoverable Format
    Summary
    The key used to encrypt passwords stored in the database can be found in the CyberPower PowerPanel application code, allowing the passwords to be recovered.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32042",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-24T18:50:17.986724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:51:52.502Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:06:43.266Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003e\nThe key used to encrypt passwords stored in the database can be found in\n the \nCyberPower PowerPanel\n\napplication code, allowing the passwords to be recovered.\n\n\u003cbr\u003e\u003c/div\u003e"
                }
              ],
              "value": "The key used to encrypt passwords stored in the database can be found in\n the \nCyberPower PowerPanel\n\napplication code, allowing the passwords to be recovered."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-257",
                  "description": "CWE-257",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:39:08.086Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Storing Passwords in a Recoverable Format",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-32042",
        "datePublished": "2024-05-15T19:39:08.086Z",
        "dateReserved": "2024-04-29T16:47:22.354Z",
        "dateUpdated": "2024-08-02T02:06:43.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32047 (GCVE-0-2024-32047)

    Vulnerability from cvelistv5 – Published: 2024-05-15 19:36 – Updated: 2024-08-02 02:06
    VLAI
    Title
    CyberPower PowerPanel business Active Debug Code
    Summary
    Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an attacker gaining access to the testing or production server.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32047",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T18:13:39.475129Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:50:55.367Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:06:43.550Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hard-coded credentials for the \nCyberPower PowerPanel test server can be found in the \nproduction code. This might result in an attacker gaining access to the \ntesting or production server.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Hard-coded credentials for the \nCyberPower PowerPanel test server can be found in the \nproduction code. This might result in an attacker gaining access to the \ntesting or production server."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-489",
                  "description": "CWE-489",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:36:41.936Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Active Debug Code",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-32047",
        "datePublished": "2024-05-15T19:36:41.936Z",
        "dateReserved": "2024-04-29T16:47:22.349Z",
        "dateUpdated": "2024-08-02T02:06:43.550Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32053 (GCVE-0-2024-32053)

    Vulnerability from cvelistv5 – Published: 2024-05-15 19:34 – Updated: 2024-08-02 02:06
    VLAI
    Title
    CyberPower PowerPanel business Use of Hard-coded Credentials
    Summary
    Hard-coded credentials are used by the  CyberPower PowerPanel platform to authenticate to the database, other services, and the cloud. This could result in an attacker gaining access to services with the privileges of a Powerpanel business application.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32053",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T15:58:18.805976Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:51:38.726Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:06:43.251Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hard-coded credentials are used by the\u0026nbsp;\nCyberPower PowerPanel \n\n platform to authenticate to the \ndatabase, other services, and the cloud. This could result in an \nattacker gaining access to services with the privileges of a Powerpanel \nbusiness application.\n\n\u003cbr\u003e"
                }
              ],
              "value": "Hard-coded credentials are used by the\u00a0\nCyberPower PowerPanel \n\n platform to authenticate to the \ndatabase, other services, and the cloud. This could result in an \nattacker gaining access to services with the privileges of a Powerpanel \nbusiness application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:34:30.153Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Use of Hard-coded Credentials",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-32053",
        "datePublished": "2024-05-15T19:34:30.153Z",
        "dateReserved": "2024-04-29T16:47:22.358Z",
        "dateUpdated": "2024-08-02T02:06:43.251Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-33625 (GCVE-0-2024-33625)

    Vulnerability from cvelistv5 – Published: 2024-05-15 19:19 – Updated: 2024-08-02 02:36
    VLAI
    Title
    CyberPower PowerPanel business Use of Hard-coded Password
    Summary
    CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-33625",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T18:45:00.332821Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:45:30.871Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:36:04.325Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\nCyberPower PowerPanel business \napplication code contains a hard-coded JWT signing key. This could \nresult in an attacker forging JWT tokens to bypass authentication.\n\n"
                }
              ],
              "value": "CyberPower PowerPanel business \napplication code contains a hard-coded JWT signing key. This could \nresult in an attacker forging JWT tokens to bypass authentication."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-259",
                  "description": "CWE-259",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:19:53.960Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Use of Hard-coded Password",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-33625",
        "datePublished": "2024-05-15T19:19:53.960Z",
        "dateReserved": "2024-04-29T16:47:22.341Z",
        "dateUpdated": "2024-08-02T02:36:04.325Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-34025 (GCVE-0-2024-34025)

    Vulnerability from cvelistv5 – Published: 2024-05-15 19:17 – Updated: 2024-08-02 02:42
    VLAI
    Title
    CyberPower PowerPanel business Use of Hard-coded Password
    Summary
    CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel business Affected: 0 , < 4.9.0 (custom)
    Create a notification for this product.
    cyberpower powerpanel_business Affected: 0 , < 4.9.0 (custom)
        cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_business",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "4.9.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-34025",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-16T15:23:17.392578Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:41:18.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:42:59.906Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PowerPanel business",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "4.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\nCyberPower PowerPanel business application code contains a hard-coded set of authentication \ncredentials. This could result in an attacker bypassing authentication \nand gaining administrator privileges.\n\n"
                }
              ],
              "value": "CyberPower PowerPanel business application code contains a hard-coded set of authentication \ncredentials. This could result in an attacker bypassing authentication \nand gaining administrator privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-259",
                  "description": "CWE-259",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-15T19:17:37.188Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\u003cp\u003eCyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\"\u003ehttps://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            }
          ],
          "source": {
            "advisory": "ICSA-24-123-01",
            "discovery": "EXTERNAL"
          },
          "title": "CyberPower PowerPanel business Use of Hard-coded Password",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2024-34025",
        "datePublished": "2024-05-15T19:17:37.188Z",
        "dateReserved": "2024-04-29T16:47:22.329Z",
        "dateUpdated": "2024-08-02T02:42:59.906Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32739 (GCVE-0-2024-32739)

    Vulnerability from cvelistv5 – Published: 2024-05-09 14:58 – Updated: 2025-03-28 19:02
    VLAI Shadowserver
    Title
    CyberPower PowerPanel Enterprise SQL Injection
    Summary
    A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_verbose" function within MCUDBHelper.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (custom)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32739",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-09T17:27:43.196774Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T19:02:37.662Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.176Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_verbose\" function within MCUDBHelper.\u003cbr\u003e"
                }
              ],
              "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_verbose\" function within MCUDBHelper.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:58:30.263Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32739",
        "datePublished": "2024-05-09T14:58:30.263Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2025-03-28T19:02:37.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32738 (GCVE-0-2024-32738)

    Vulnerability from cvelistv5 – Published: 2024-05-09 14:58 – Updated: 2024-08-02 02:20
    Title
    CyberPower PowerPanel Enterprise SQL Injection
    Summary
    A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (semver)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32738",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-09T19:31:56.799538Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:50:01.621Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.332Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_lean\" function within MCUDBHelper.\u003cbr\u003e"
                }
              ],
              "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_ptask_lean\" function within MCUDBHelper.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:58:13.209Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32738",
        "datePublished": "2024-05-09T14:58:13.209Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2024-08-02T02:20:35.332Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32737 (GCVE-0-2024-32737)

    Vulnerability from cvelistv5 – Published: 2024-05-09 14:57 – Updated: 2024-08-02 02:20
    VLAI Shadowserver
    Title
    CyberPower PowerPanel Enterprise SQL Injection
    Summary
    A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (custom)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32737",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-09T17:22:26.942838Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:51:42.633Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.316Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\u003cbr\u003e"
                }
              ],
              "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:57:57.579Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32737",
        "datePublished": "2024-05-09T14:57:57.579Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2024-08-02T02:20:35.316Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32736 (GCVE-0-2024-32736)

    Vulnerability from cvelistv5 – Published: 2024-05-09 14:57 – Updated: 2025-03-25 18:10
    VLAI Shadowserver
    Title
    CyberPower PowerPanel Enterprise SQL Injection
    Summary
    A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (custom)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32736",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-29T18:44:47.600450Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-25T18:10:55.407Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.213Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can leak sensitive information via the \"query_utask_verbose\" function within MCUDBHelper.\u003cbr\u003e"
                }
              ],
              "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_utask_verbose\" function within MCUDBHelper.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:57:38.850Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32736",
        "datePublished": "2024-05-09T14:57:38.850Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2025-03-25T18:10:55.407Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32735 (GCVE-0-2024-32735)

    Vulnerability from cvelistv5 – Published: 2024-05-09 14:54 – Updated: 2024-08-02 02:20
    Title
    CyberPower PowerPanel Enterprise Missing Authentication
    Summary
    An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower CyberPower PowerPanel Enterprise Affected: 0 , < 2.8.3 (custom)
    Create a notification for this product.
    cyberpower powerpanel_enterprise Affected: 0 , < 2.8.3 (custom)
        cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "powerpanel_enterprise",
                "vendor": "cyberpower",
                "versions": [
                  {
                    "lessThan": "2.8.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32735",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-04T19:45:38.473682Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-306",
                    "description": "CWE-306 Missing Authentication for Critical Function",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T19:52:06.138Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "ADP Container"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.343Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.tenable.com/security/research/tra-2024-14"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "CyberPower PowerPanel Enterprise",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThan": "2.8.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u0026nbsp;An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application."
                }
              ],
              "value": "An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-09T14:54:45.407Z",
            "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
            "shortName": "tenable"
          },
          "references": [
            {
              "url": "https://www.tenable.com/security/research/tra-2024-14"
            },
            {
              "url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07\u0026fileSubType=FileReleaseNote"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "CyberPower PowerPanel Enterprise Missing Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
        "assignerShortName": "tenable",
        "cveId": "CVE-2024-32735",
        "datePublished": "2024-05-09T14:54:45.407Z",
        "dateReserved": "2024-04-17T11:47:39.834Z",
        "dateUpdated": "2024-08-02T02:20:35.343Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-25131 (GCVE-0-2023-25131)

    Vulnerability from cvelistv5 – Published: 2023-04-24 00:00 – Updated: 2025-02-04 17:25
    VLAI
    Title
    Use of default password vulnerability in CyberPower PowerPanel Business
    Summary
    Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the 'admin' password.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    CyberPower PowerPanel Business Local / Remote Affected: unspecified , ≤ v4.8.6 (custom)
    Create a notification for this product.
    CyberPower PowerPanel Business Management Affected: unspecified , ≤ v4.8.6 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T11:18:35.329Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://zuso.ai/Advisory/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-25131",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T17:25:46.888522Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-04T17:25:51.219Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "windows, MacOS, Linux"
              ],
              "product": "PowerPanel Business Local / Remote",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThanOrEqual": "v4.8.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "platforms": [
                "windows, MacOS, Linux"
              ],
              "product": "PowerPanel Business Management",
              "vendor": "CyberPower",
              "versions": [
                {
                  "lessThanOrEqual": "v4.8.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Business Management for Windows v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 32bit v4.8.6 and earlier, PowerPanel Business Local/Remote for Linux 64bit v4.8.6 and earlier, PowerPanel Business Management for Linux 32bit v4.8.6 and earlier, PowerPanel Business Management for Linux 64bit v4.8.6 and earlier, PowerPanel Business Local/Remote for MacOS v4.8.6 and earlier, and PowerPanel Business Management for MacOS v4.8.6 and earlier allows remote attackers to log in to the server directly to perform administrative functions. Upon installation or upon first login, the application does not ask the user to change the \u0027admin\u0027 password."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1393",
                  "description": "CWE-1393 Use of Default Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-04-24T00:00:00.000Z",
            "orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
            "shortName": "ZUSO ART"
          },
          "references": [
            {
              "url": "https://zuso.ai/Advisory/"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_linux#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_mac#downloads"
            },
            {
              "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_virtual_machine#downloads"
            }
          ],
          "source": {
            "defect": [
              "ZA-2023-01"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Use of default password vulnerability in CyberPower PowerPanel Business",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
        "assignerShortName": "ZUSO ART",
        "cveId": "CVE-2023-25131",
        "datePublished": "2023-04-24T00:00:00.000Z",
        "dateReserved": "2023-02-02T00:00:00.000Z",
        "dateUpdated": "2025-02-04T17:25:51.219Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }