22 matches found
CVE-2023-51593
Voltronic Power ViewPower Pro is affected by a remote code execution due to a Struts2 expression language injection flaw. The vulnerability allows unauthenticated attackers to execute arbitrary code in the context of LOCAL SERVICE. Root cause: a vulnerable expression language handling in a Struts...
CVE-2023-51590
CVE-2023-51590 affects Voltronic Power ViewPower Pro. The vulnerability is an unrestricted file upload in the UpLoadAction class, caused by insufficient validation of user-supplied data. This allows remote attackers to upload arbitrary files and execute code with LOCAL SERVICE privileges, without...
CVE-2023-51574
CVE-2023-51574 — Voltronic Power ViewPower authentication bypass . Affected software: Voltronic Power ViewPower (monitoring/management software for solar inverters). Vulnerability: The flaw exists in the updateManagerPassword method where a dangerous function is exposed, enabling remote attackers...
CVE-2023-51591
This CVE affects Voltronic Power ViewPower Pro, where the doDocument method improperly restricts XML External Entity (XXE) references, allowing an attacker to craft a document that causes the XML parser to fetch a URI and embed its contents back into the XML for processing. The vulnerability can ...
CVE-2023-51572
Voltronic Power ViewPower Pro is affected by CVE-2023-51572 due to an OS command injection in getMacAddressByIP. The flaw stems from insufficient validation of a user-supplied string before it is used to execute a system call, enabling remote code execution with SYSTEM privileges without authenti...
CVE-2023-51588
CVE-2023-51588 involves Voltronic Power ViewPower Pro with a MySQL configuration flaw caused by hard-coded credentials. The vulnerability enables local privilege escalation, allowing an attacker who can run low-privileged code to escalate to SYSTEM and execute arbitrary code within that context. ...
CVE-2023-51595
Vulnerability (CVE-2023-51595) : Voltronic Power ViewPower Pro is affected by a SQL injection in the selectDeviceListBy method. The flaw stems from insufficient validation of a user-supplied string used to build SQL queries, allowing an attacker to execute arbitrary code in the context of LOCAL S...
CVE-2023-51575
CVE-2023-51575 concerns Voltronic Power ViewPower MonitorConsole, where an exposed dangerous method in the MonitorConsole class enables remote code execution with no authentication. Documents confirm RCE context and lack of required privileges, affecting Voltronic Power ViewPower installations, b...
CVE-2023-51584
CVE-2023-51584 affects Voltronic Power ViewPower Pro. The vulnerability is in the shutdown/Shutdown method which exposes a dangerous method, enabling remote code execution in the context of the current user. An attacker must have user interaction (an administrator must trigger the shutdown operat...
CVE-2023-51587
CVE-2023-51587 relates to Voltronic Power ViewPower, where the vulnerable component is the getModbusPassword method. The root cause is a lack of authentication before accessing this functionality, enabling remote attackers to disclose stored credentials. The issue is documented across multiple so...
CVE-2023-51586
Voltronic Power ViewPower Pro is affected by a SQL injection in the selectEventConfig method, allowing remote code execution with no authentication. The flaw arises from unsafely using a user-supplied string to construct SQL queries, enabling code execution in the context of LOCAL SERVICE. Docume...
CVE-2023-51571
CVE-2023-51571 : In Voltronic Power ViewPower Pro, the SocketService has missing authentication, allowing remote attackers to trigger a denial-of-service. The flaw resides in the SocketService component (UDP 41222 by default); no authentication precedes access to functionality, enabling an unauth...
CVE-2023-51582
Affected product: Voltronic Power ViewPower, specifically the LinuxMonitorConsole component. Vulnerability summary: An exposed dangerous method in LinuxMonitorConsole allows remote attackers to execute arbitrary code, without authentication, in the context of the current user. This is described a...
CVE-2023-51585
CVE-2023-51585 affects Voltronic Power ViewPower Pro (USBCommEx shutdown) where the shutdown method uses a user-supplied string in a system call without proper validation, enabling remote code execution in the context of the current user. Exploitation requires administrator-triggered shutdown and...
CVE-2023-51573
Voltronic Power ViewPower Pro is affected by CVE-2023-51573. The flaw resides in the updateManagerPassword function, where exposure of a dangerous function enables an unauthenticated attacker to bypass authentication remotely. Products and advisories consistently cite an authentication bypass wit...
CVE-2023-51581
CVE-2023-51581 affects Voltronic Power ViewPower, specifically the MacMonitorConsole class, where an exposed dangerous method enables remote code execution with no authentication. The ZDI advisory and NVD/NVD-derived metrics indicate a high-severity, remote code execution vulnerability (CVSSv3.0:...
CVE-2023-51570
CVE-2023-51570 affects Voltronic Power ViewPower Pro. The vulnerability exists in the RMI interface (defaults to TCP port 41009) where untrusted data is deserialized without proper validation, enabling remote code execution in the context of SYSTEM. The entry is supported by multiple sources (ZDI...
CVE-2023-51576
Summary: CVE-2023-51576 affects Voltronic Power ViewPower. The vulnerability exists in the RMI interface listening by default on TCP port 51099 and stems from improper validation of user-supplied data, allowing deserialization of untrusted data and resulting in remote code execution in the contex...
CVE-2023-51579
CVE-2023-51579 affects Voltronic Power ViewPower. Root cause: incorrect permissions on folders in the product installer, enabling local privilege escalation to SYSTEM when an attacker can execute low-privileged code. Exploitation is local with low complexity and no user interaction; no patch/vers...
CVE-2023-51583
CVE-2023-51583 affects Voltronic Power ViewPower; the flaw is in the UpsScheduler class due to an exposed dangerous method, enabling remote code execution with SYSTEM context. It requires no authentication and is exploitable over the network (per ZDI advisory). The available documents confirm the...
CVE-2023-51577
Voltronic Power ViewPower contains a local privilege escalation in the setShutdown method. The flaw arises from an exposed dangerous method that allows a low-privileged attacker who can run code locally to escalate to SYSTEM and execute arbitrary code. This is documented across multiple sources (...
CVE-2023-51578
CVE-2023-51578 affects Voltronic Power ViewPower MonitorConsole. The flaw is an exposed dangerous method in the MonitorConsole class enabling remote DoS without authentication. Public sources (ZDI-23-1884) confirm the issue, but no concrete remediation/version fix is provided in the connected doc...