All the vulnerabilites related to Voltronic Power - ViewPower Pro
cve-2023-51591
Vulnerability from cvelistv5
Published
2024-05-03 02:15
Modified
2024-08-02 22:40
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro doDocument XML External Entity Processing Information Disclosure Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1895/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronic_power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:55:36.735112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:22.090Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1895",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1895/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.371-06:00",
"datePublic": "2023-12-20T17:09:39.000-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro doDocument XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the doDocument method. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of LOCAL SERVICE. Was ZDI-CAN-22081."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:20.820Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1895",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1895/"
}
],
"source": {
"lang": "en",
"value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"
},
"title": "Voltronic Power ViewPower Pro doDocument XML External Entity Processing Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51591",
"datePublished": "2024-05-03T02:15:20.820Z",
"dateReserved": "2023-12-20T20:38:20.870Z",
"dateUpdated": "2024-08-02T22:40:33.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51570
Vulnerability from cvelistv5
Published
2024-04-01 21:14
Modified
2024-08-02 22:40
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro Deserialization of Untrusted Data Remote Code Execution Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1876/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronicpower:viewpower:1.04.21353:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower",
"vendor": "voltronicpower",
"versions": [
{
"status": "affected",
"version": "1.04.21353"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:49:21.811979Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:56.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1876",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1876/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.233-06:00",
"datePublic": "2023-12-20T17:08:43.781-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the RMI interface, which listens on TCP port 41009 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21012."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T21:14:36.193Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1876",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1876/"
}
],
"source": {
"lang": "en",
"value": "Simon Janz (@esj4y) "
},
"title": "Voltronic Power ViewPower Pro Deserialization of Untrusted Data Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51570",
"datePublished": "2024-04-01T21:14:36.193Z",
"dateReserved": "2023-12-20T20:38:20.866Z",
"dateUpdated": "2024-08-02T22:40:33.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51571
Vulnerability from cvelistv5
Published
2024-04-01 21:17
Modified
2024-08-27 15:33
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro SocketService Missing Authentication Denial-of-Service Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1877/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:32.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1877",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1877/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronicpower:viewpower_pro:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronicpower",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51571",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T15:09:17.525270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:33:37.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.239-06:00",
"datePublic": "2023-12-20T17:08:47.145-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro SocketService Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the SocketService module, which listens on UDP port 41222 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-21162."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T21:17:40.851Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1877",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1877/"
}
],
"source": {
"lang": "en",
"value": "Simon Janz (@esj4y)"
},
"title": "Voltronic Power ViewPower Pro SocketService Missing Authentication Denial-of-Service Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51571",
"datePublished": "2024-04-01T21:17:40.851Z",
"dateReserved": "2023-12-20T20:38:20.866Z",
"dateUpdated": "2024-08-27T15:33:37.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51590
Vulnerability from cvelistv5
Published
2024-05-03 02:15
Modified
2024-08-02 22:40
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro UpLoadAction Unrestricted File Upload Remote Code Execution Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1894/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronic_power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51590",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T16:28:16.920512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:13.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1894",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1894/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.364-06:00",
"datePublic": "2023-12-20T17:09:36.319-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro UpLoadAction Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the UpLoadAction class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22080."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:20.096Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1894",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1894/"
}
],
"source": {
"lang": "en",
"value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"
},
"title": "Voltronic Power ViewPower Pro UpLoadAction Unrestricted File Upload Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51590",
"datePublished": "2024-05-03T02:15:20.096Z",
"dateReserved": "2023-12-20T20:38:20.870Z",
"dateUpdated": "2024-08-02T22:40:33.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51573
Vulnerability from cvelistv5
Published
2024-04-01 21:18
Modified
2024-08-02 22:40
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro updateManagerPassword Exposed Dangerous Function Authentication Bypass Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1879/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronic_power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51573",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T14:36:18.724567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T13:27:14.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1879",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1879/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.250-06:00",
"datePublic": "2023-12-20T17:08:52.846-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro updateManagerPassword Exposed Dangerous Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the updateManagerPassword function. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21203."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T21:18:29.225Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1879",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1879/"
}
],
"source": {
"lang": "en",
"value": "Simon Janz (@esj4y)"
},
"title": "Voltronic Power ViewPower Pro updateManagerPassword Exposed Dangerous Function Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51573",
"datePublished": "2024-04-01T21:18:29.225Z",
"dateReserved": "2023-12-20T20:38:20.867Z",
"dateUpdated": "2024-08-02T22:40:33.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51595
Vulnerability from cvelistv5
Published
2024-05-03 02:15
Modified
2024-08-02 22:40
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro selectDeviceListBy SQL Injection Remote Code Execution Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1897/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronicpower:viewpower:1.04.21353:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower",
"vendor": "voltronicpower",
"versions": [
{
"status": "affected",
"version": "1.04.21353"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:56:15.430919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:43.949Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:34.084Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1897",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1897/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.398-06:00",
"datePublic": "2023-12-20T17:09:47.952-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro selectDeviceListBy SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the selectDeviceListBy method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22163."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:23.817Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1897",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1897/"
}
],
"source": {
"lang": "en",
"value": "hir0ot"
},
"title": "Voltronic Power ViewPower Pro selectDeviceListBy SQL Injection Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51595",
"datePublished": "2024-05-03T02:15:23.817Z",
"dateReserved": "2023-12-20T20:38:20.870Z",
"dateUpdated": "2024-08-02T22:40:34.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51593
Vulnerability from cvelistv5
Published
2024-05-03 02:15
Modified
2024-08-02 22:40
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1896/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronic_power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:00:47.317589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T17:12:45.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:32.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1896",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1896/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.384-06:00",
"datePublic": "2023-12-20T17:09:42.581-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the Struts2 dependency. The issue results from the use of a library that is vulnerable to expression language injection. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22095."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:22.331Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1896",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1896/"
}
],
"source": {
"lang": "en",
"value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"
},
"title": "Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51593",
"datePublished": "2024-05-03T02:15:22.331Z",
"dateReserved": "2023-12-20T20:38:20.870Z",
"dateUpdated": "2024-08-02T22:40:32.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51588
Vulnerability from cvelistv5
Published
2024-05-03 02:15
Modified
2024-08-02 22:40
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Local Privilege Escalation Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1893/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronic_power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:01:50.686550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T17:12:54.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.742Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1893",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1893/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.351-06:00",
"datePublic": "2023-12-20T17:09:33.651-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Voltronic Power ViewPower Pro. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of a MySQL instance. The issue results from hardcoded database credentials. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-22075."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:18.605Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1893",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1893/"
}
],
"source": {
"lang": "en",
"value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"
},
"title": "Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Local Privilege Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51588",
"datePublished": "2024-05-03T02:15:18.605Z",
"dateReserved": "2023-12-20T20:38:20.870Z",
"dateUpdated": "2024-08-02T22:40:33.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51586
Vulnerability from cvelistv5
Published
2024-05-03 02:15
Modified
2024-08-02 22:40
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro selectEventConfig SQL Injection Remote Code Execution Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1891/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronic_power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51586",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T15:43:11.883686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:15.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1891",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1891/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.339-06:00",
"datePublic": "2023-12-20T17:09:28.904-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro selectEventConfig SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the selectEventConfig method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22072."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:17.119Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1891",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1891/"
}
],
"source": {
"lang": "en",
"value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"
},
"title": "Voltronic Power ViewPower Pro selectEventConfig SQL Injection Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51586",
"datePublished": "2024-05-03T02:15:17.119Z",
"dateReserved": "2023-12-20T20:38:20.869Z",
"dateUpdated": "2024-08-02T22:40:33.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-51572
Vulnerability from cvelistv5
Published
2024-04-01 21:18
Modified
2024-08-27 15:39
Severity ?
EPSS score ?
Summary
Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-23-1878/ | x_research-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Voltronic Power | ViewPower Pro |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1878",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1878/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronicpower:viewpower_pro:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronicpower",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51572",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-02T14:45:05.815097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:39:48.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T14:45:49.244-06:00",
"datePublic": "2023-12-20T17:08:50.501-06:00",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the getMacAddressByIP function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21163."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T21:18:11.318Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1878",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1878/"
}
],
"source": {
"lang": "en",
"value": "Simon Janz (@esj4y)"
},
"title": "Voltronic Power ViewPower Pro getMacAddressByIp Command Injection Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51572",
"datePublished": "2024-04-01T21:18:11.318Z",
"dateReserved": "2023-12-20T20:38:20.866Z",
"dateUpdated": "2024-08-27T15:39:48.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}