Security Vulnerabilities - CVEs Published In May 2024
Hard-coded credentials for the
CyberPower PowerPanel test server can be found in the
production code. This might result in an attacker gaining access to the
testing or production server.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-05-15
Hard-coded credentials are used by theĀ
CyberPower PowerPanel
platform to authenticate to the
database, other services, and the cloud. This could result in an
attacker gaining access to services with the privileges of a Powerpanel
business application.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-05-15
CyberPower PowerPanel business
application code contains a hard-coded JWT signing key. This could
result in an attacker forging JWT tokens to bypass authentication.
CVSS Score
9.8
EPSS Score
0.0
Published
2024-05-15
Certain MQTT wildcards are not blocked on the
CyberPower PowerPanel
system, which might result in an attacker obtaining data from throughout the system after gaining access to any device.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-05-15
The devices which CyberPower PowerPanel manages use identical certificates based on a
hard-coded cryptographic key. This can allow an attacker to impersonate
any client in the system and send malicious data.
CVSS Score
7.7
EPSS Score
0.001
Published
2024-05-15
An attacker with certain MQTT permissions can create malicious messages
to all CyberPower PowerPanel devices. This could result in an attacker injecting
SQL syntax, writing arbitrary files to the system, and executing remote
code.
CVSS Score
8.8
EPSS Score
0.003
Published
2024-05-15
The key used to encrypt passwords stored in the database can be found in
the
CyberPower PowerPanel
application code, allowing the passwords to be recovered.
CVSS Score
4.9
EPSS Score
0.002
Published
2024-05-15
A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /view/student_due_payment.php. The manipulation of the argument due_year leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-264444.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-05-15
A vulnerability, which was classified as critical, was found in Campcodes Complete Web-Based School Management System 1.0. This affects an unknown part of the file /view/show_student1.php. The manipulation of the argument grade leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-264441 was assigned to this vulnerability.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-05-15
A vulnerability has been found in Campcodes Complete Web-Based School Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /view/show_student2.php. The manipulation of the argument grade leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-264442 is the identifier assigned to this vulnerability.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-05-15