CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51585 – Voltronic Power ViewPower USBCommEx shutdown Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-51585
20 Dec 2023 — Voltronic Power ViewPower USBCommEx shutdown Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. User interaction is required to exploit this vulnerability in that an administrator must trigger a shutdown operation. The specific flaw exists within the shutdown method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a sys... • https://www.zerodayinitiative.com/advisories/ZDI-23-1890 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51586 – Voltronic Power ViewPower Pro selectEventConfig SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-51586
20 Dec 2023 — Voltronic Power ViewPower Pro selectEventConfig SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the selectEventConfig method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. • https://www.zerodayinitiative.com/advisories/ZDI-23-1891 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51587 – Voltronic Power ViewPower getModbusPassword Missing Authentication Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-51587
20 Dec 2023 — Voltronic Power ViewPower getModbusPassword Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getModbusPassword method. The issue results from the lack of authentication prior to allowing access to functionality. • https://www.zerodayinitiative.com/advisories/ZDI-23-1892 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51588 – Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-51588
20 Dec 2023 — Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower Pro. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of a MySQL instance. The issue results from hardcoded database credentials. • https://www.zerodayinitiative.com/advisories/ZDI-23-1893 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51590 – Voltronic Power ViewPower Pro UpLoadAction Unrestricted File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-51590
20 Dec 2023 — Voltronic Power ViewPower Pro UpLoadAction Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UpLoadAction class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. • https://www.zerodayinitiative.com/advisories/ZDI-23-1894 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51591 – Voltronic Power ViewPower Pro doDocument XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-51591
20 Dec 2023 — Voltronic Power ViewPower Pro doDocument XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the doDocument method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI... • https://www.zerodayinitiative.com/advisories/ZDI-23-1895 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51593 – Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-51593
20 Dec 2023 — Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Struts2 dependency. The issue results from the use of a library that is vulnerable to expression language injection. • https://www.zerodayinitiative.com/advisories/ZDI-23-1896 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •