{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-33615", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2024-04-29T16:47:22.325Z", "datePublished": "2024-05-15T19:23:24.378Z", "dateUpdated": "2024-06-04T17:45:06.378Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PowerPanel business", "vendor": "CyberPower", "versions": [{"lessThan": "4.9.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Amir Preminger and Noam Moshe of Claroty Team82 Research reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nA specially crafted Zip file containing path traversal characters can be\n imported to the \nCyberPower PowerPanel \n\nserver, which allows file writing to the server outside\n the intended scope, and could allow an attacker to achieve remote code \nexecution.\n\n<br>"}], "value": "A specially crafted Zip file containing path traversal characters can be\n imported to the \nCyberPower PowerPanel \n\nserver, which allows file writing to the server outside\n the intended scope, and could allow an attacker to achieve remote code \nexecution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2024-05-15T19:23:24.378Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n<p>CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads\">https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads</a><br></p>\n\n<br>"}], "value": "CyberPower has released a new version (v4.10.1 or later version) of PowerPanel business that fixes these vulnerabilities.\n\n\n https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "source": {"advisory": "ICSA-24-123-01", "discovery": "EXTERNAL"}, "title": "CyberPower PowerPanel business Relative Path Traversal", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-33615", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T15:05:33.307418Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cyberpower:powerpanel_business:*:*:*:*:*:*:*:*"], "vendor": "cyberpower", "product": "powerpanel_business", "versions": [{"status": "affected", "version": "0", "lessThan": "4.9.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:45:06.378Z"}}]}}

{"descriptions": [{"lang": "en", "value": "A specially crafted Zip file containing path traversal characters can be\n imported to the \nCyberPower PowerPanel \n\nserver, which allows file writing to the server outside\n the intended scope, and could allow an attacker to achieve remote code \nexecution."}, {"lang": "es", "value": "Se puede importar al servidor CyberPower PowerPanel un archivo Zip especialmente manipulado que contiene caracteres de recorrido de ruta, lo que permite escribir archivos en el servidor fuera del alcance previsto y podr\u00eda permitir a un atacante lograr la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2024-33615", "lastModified": "2024-05-16T13:03:05.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2024-05-15T20:15:12.687", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cyberpower.com/global/en/product/sku/powerpanel_business_for_windows#downloads"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}