Lucene search

IcscertCVE-2024-33615

HistoryMay 15, 2024 - 8:15 p.m.

CVE-2024-33615

2024-05-1520:15:12

CWE-23

icscert

web.nvd.nist.gov

zip file

path traversal

remote code execution

cyberpower powerpanel

file writing

cve-2024-33615

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

Percentile

9.0%

JSON

A specially crafted Zip file containing path traversal characters can be
imported to the
CyberPower PowerPanel

server, which allows file writing to the server outside
the intended scope, and could allow an attacker to achieve remote code
execution.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "PowerPanel business",
    "vendor": "CyberPower",
    "versions": [
      {
        "lessThan": "4.9.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-24-123-01

www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-33615