Lucene search

IcscertCVELIST:CVE-2024-33615

HistoryMay 15, 2024 - 7:23 p.m.

CVE-2024-33615 CyberPower PowerPanel business Relative Path Traversal

2024-05-1519:23:24

CWE-23

icscert

www.cve.org

cve-2024-33615

zip file

path traversal

file writing

remote code execution

cyberpower powerpanel

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

A specially crafted Zip file containing path traversal characters can be
imported to the
CyberPower PowerPanel

server, which allows file writing to the server outside
the intended scope, and could allow an attacker to achieve remote code
execution.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "PowerPanel business",
    "vendor": "CyberPower",
    "versions": [
      {
        "lessThan": "4.9.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-24-123-01

www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-33615