CRITICAL🇬🇧 English

CVE-2023-3267

CVSS 9.1v3.1pub. 2023-08-14upd. 2024-11-21

When adding a remote backup location, an authenticated user can pass arbitrary OS commands through the username field. The username is passed without sanitization into CMD running as NT/Authority System. An authenticated attacker can leverage this vulnerability to execute arbitrary code with system-level access to the CyberPower PowerPanel Enterprise server.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Cyberpower Powerpanel Server

    APP
    Cyberpower
    < 2.6.9
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCECommand Injection
CWE
Referencje

Powiązane podatności

CVE-2023-3265CRITICAL9.8ten sam produkt

An authentication bypass exists on CyberPower PowerPanel Enterprise by failing to sanitize meta-characters fro...

CVE-2023-3266CRITICAL9.8ten sam produkt

A non-feature complete authentication mechanism exists in the production application allowing an attacker to b...

CVE-2023-3260HIGH7.2ten sam produkt

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to command injection v...

CVE-2023-3261HIGH7.5ten sam produkt

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier contains a buffer overflow vulnerabi...

CVE-2023-3264MEDIUM6.7ten sam produkt

The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier uses hard-coded credentials for all ...