1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: CyberPower
- Equipment: PowerPanel
- Vulnerabilities: Use of Hard-coded Password, Relative Path Traversal, Use of Hard-coded Credentials, Active Debug Code, Storing Passwords in a Recoverable Format, Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’), Use of Hard-coded Cryptographic Key, Improper Authorization
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in an attacker bypassing authentication and gaining administrator privileges, forging JWT tokens to bypass authentication, writing arbitrary files to the server and achieving code execution, gaining access to services with the privileges of a PowerPanel application, gaining access to the testing or production server, learning passwords and authenticating with user or administrator privileges, injecting SQL syntax, writing arbitrary files to the system, executing remote code, impersonating any client in the system and sending malicious data, or obtaining data from throughout the system after gaining access to any device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of PowerPanel, a business management software, are affected:
- PowerPanel: 4.9.0 and prior
3.2 Vulnerability Overview
3.2.1 USE OF HARD-CODED PASSWORD CWE-259
The application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges.
CVE-2024-34025 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories