When adding a remote backup location, an authenticated user can pass arbitrary OS commands through the username field. The username is passed without sanitization into CMD running as NT/Authority System. An authenticated attacker can leverage this vulnerability to execute arbitrary code with system-level access to the CyberPower PowerPanel Enterprise server.
References
Link | Resource |
---|---|
https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurking-in-data-centers.html | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: trellix
Published: 2023-08-14T04:11:06.644Z
Updated: 2023-08-14T04:11:06.644Z
Reserved: 2023-06-15T06:50:38.458Z
Link: CVE-2023-3267
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-08-14T05:15:10.133
Modified: 2023-08-22T16:15:46.067
Link: CVE-2023-3267
JSON object: View
Redhat Information
No data.
CWE