Skip to main content

Powerpanel CVE-2019-13071

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2019-07-10 cve@mitre.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 10, 2019 - 14:15 nvd
HIGH 8.8

DescriptionNVD

CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an attacker controlled web page.

AnalysisAI

CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. CSRF in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows an attacker to submit POST requests to any forms in the web application. This can be exploited by tricking an authenticated user into visiting an attacker controlled web page. Affected products include: Cyberpowersystems Powerpanel.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2024-32735 CRITICAL POC
9.8 May 14

An issue regarding missing authentication for certain utilities exists in CyberPower PowerPanel Enterprise prior to v2.8

CVE-2024-32739 HIGH POC
7.5 May 14

A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. Rated high severity (CVSS 7.5)

CVE-2024-32738 HIGH POC
7.5 May 14

A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. Rated high severity (CVSS 7.5)

CVE-2024-32737 HIGH POC
7.5 May 14

A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. Rated high severity (CVSS 7.5)

CVE-2024-32736 HIGH POC
7.5 May 14

A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. Rated high severity (CVSS 7.5)

CVE-2024-34025 CRITICAL
9.8 May 15

CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. Rated critical

CVE-2024-33625 CRITICAL
9.8 May 15

CyberPower PowerPanel business application code contains a hard-coded JWT signing key. Rated critical severity (CVSS 9.8

CVE-2024-32053 CRITICAL
9.8 May 15

Hard-coded credentials are used by the CyberPower PowerPanel platform to authenticate to the database, other services, a

CVE-2024-32047 CRITICAL
9.8 May 15

Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. Rated critical sev

CVE-2023-25133 CRITICAL
9.8 Apr 24

Improper privilege management vulnerability in default.cmd file in PowerPanel Business Local/Remote for Windows v4.8.6 a

CVE-2023-25132 CRITICAL
9.8 Apr 24

Unrestricted upload of file with dangerous type vulnerability in default.cmd file in PowerPanel Business Local/Remote fo

CVE-2023-25131 CRITICAL
9.8 Apr 24

Use of default password vulnerability in PowerPanel Business Local/Remote for Windows v4.8.6 and earlier, PowerPanel Bus

Share

CVE-2019-13071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy