CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32738 – CyberPower PowerPanel Enterprise SQL Injection
https://notcve.org/view.php?id=CVE-2024-32738
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_ptask_lean" function within MCUDBHelper. Existe una vulnerabilidad de inyección SQL en CyberPower PowerPanel Enterprise anterior a la versión 2.8.3. Un atacante remoto no autenticado puede filtrar información confidencial a través de la función "query_ptask_lean" dentro de MCUDBHelper. • https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote https://www.tenable.com/security/research/tra-2024-14 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32737 – CyberPower PowerPanel Enterprise SQL Injection
https://notcve.org/view.php?id=CVE-2024-32737
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper. Existe una vulnerabilidad de inyección SQL en CyberPower PowerPanel Enterprise anterior a la versión 2.8.3. Un atacante remoto no autenticado puede filtrar información confidencial a través de la función "query_contract_result" dentro de MCUDBHelper. • https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote https://www.tenable.com/security/research/tra-2024-14 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32736 – CyberPower PowerPanel Enterprise SQL Injection
https://notcve.org/view.php?id=CVE-2024-32736
A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_utask_verbose" function within MCUDBHelper. Existe una vulnerabilidad de inyección SQL en CyberPower PowerPanel Enterprise anterior a la versión 2.8.3. Un atacante remoto no autenticado puede filtrar información confidencial a través de la función "query_utask_verbose" dentro de MCUDBHelper. • https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote https://www.tenable.com/security/research/tra-2024-14 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32735 – CyberPower PowerPanel Enterprise Missing Authentication
https://notcve.org/view.php?id=CVE-2024-32735
An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can access the PDNU REST APIs, which may result in compromise of the application. Existe un problema relacionado con la falta de autenticación para ciertas utilidades en CyberPower PowerPanel Enterprise antes de la versión 2.8.3. Un atacante remoto no autenticado puede acceder a las API REST de PDNU, lo que puede comprometer la aplicación. • https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote https://www.tenable.com/security/research/tra-2024-14 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3267
https://notcve.org/view.php?id=CVE-2023-3267
When adding a remote backup location, an authenticated user can pass arbitrary OS commands through the username field. The username is passed without sanitization into CMD running as NT/Authority System. An authenticated attacker can leverage this vulnerability to execute arbitrary code with system-level access to the CyberPower PowerPanel Enterprise server. • https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •