CVE-2024-32737 - OpenCVE

A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the "query_contract_result" function within MCUDBHelper.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote
https://www.tenable.com/security/research/tra-2024-14

History

No history.

MITRE

Status: PUBLISHED

Assigner: tenable

Published: 2024-05-09T14:57:57.579Z

Updated: 2024-08-02T02:20:35.316Z

Reserved: 2024-04-17T11:47:39.834Z

Link: CVE-2024-32737

Vulnrichment

Updated: 2024-08-02T02:20:35.316Z

NVD

Status : Awaiting Analysis

Published: 2024-05-14T15:37:04.270

Modified: 2024-07-03T01:57:00.443

Link: CVE-2024-32737

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32737", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "state": "PUBLISHED", "assignerShortName": "tenable", "dateReserved": "2024-04-17T11:47:39.834Z", "datePublished": "2024-05-09T14:57:57.579Z", "dateUpdated": "2024-08-02T02:20:35.316Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CyberPower PowerPanel Enterprise", "vendor": "CyberPower", "versions": [{"lessThan": "2.8.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.<br>"}], "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2024-05-09T14:57:57.579Z"}, "references": [{"url": "https://www.tenable.com/security/research/tra-2024-14"}, {"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote"}], "source": {"discovery": "UNKNOWN"}, "title": "CyberPower PowerPanel Enterprise SQL Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32737", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-09T17:22:26.942838Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"], "vendor": "cyberpower", "product": "powerpanel_enterprise", "versions": [{"status": "affected", "version": "0", "lessThan": "2.8.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:51:42.633Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.316Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.tenable.com/security/research/tra-2024-14", "tags": ["x_transferred"]}, {"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.tenable.com/security/research/tra-2024-14", "tags": ["x_transferred"]}, {"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:20:35.316Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32737", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-09T17:22:26.942838Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cyberpower:powerpanel_enterprise:*:*:*:*:*:*:*:*"], "vendor": "cyberpower", "product": "powerpanel_enterprise", "versions": [{"status": "affected", "version": "0", "lessThan": "2.8.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-09T17:27:13.881Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "CyberPower PowerPanel Enterprise SQL Injection", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CyberPower", "product": "CyberPower PowerPanel Enterprise", "versions": [{"status": "affected", "version": "0", "lessThan": "2.8.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.tenable.com/security/research/tra-2024-14"}, {"url": "https://www.cyberpower.com/global/en/File/GetFileSampleByType?fileId=SU-18070002-07&fileSubType=FileReleaseNote"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3.\u00a0An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.\n", "supportingMedia": [{"type": "text/html", "value": "A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. An unauthenticated remote attacker can leak sensitive information via the \"query_contract_result\" function within MCUDBHelper.<br>", "base64": false}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2024-05-09T14:57:57.579Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32737", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:20:35.316Z", "dateReserved": "2024-04-17T11:47:39.834Z", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "datePublished": "2024-05-09T14:57:57.579Z", "assignerShortName": "tenable"}, "dataVersion": "5.1"}