Lucene search

TrellixCVELIST:CVE-2023-3266

HistoryAug 14, 2023 - 4:09 a.m.

CVE-2023-3266

2023-08-1404:09:45

CWE-358

trellix

www.cve.org

cve-2023-3266

authentication

ldap

vulnerability

exploitation

administrator

powerpanel enterprise

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

54.8%

JSON

A non-feature complete authentication mechanism exists in the production application allowing an attacker to bypass all authentication checks if LDAP authentication is selected.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator by selecting LDAP authentication from a hidden HTML combo box. Successful exploitation of this vulnerability also requires the attacker to know at least one username on the device, but any password will authenticate successfully.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "PowerPanel Enterprise",
    "vendor": "CyberPower",
    "versions": [
      {
        "status": "affected",
        "version": "v2.6.0"
      }
    ]
  }
]

References

www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.002

Percentile

54.8%

JSON

Related for CVELIST:CVE-2023-3266