CVE-2023-3267

CVSS V2 None CVSS V3 None
Description
When adding a remote backup location, an authenticated user can pass arbitrary OS commands through the username field. The username is passed without sanitization into CMD running as NT/Authority System. An authenticated attacker can leverage this vulnerability to execute arbitrary code with system-level access to the CyberPower PowerPanel Enterprise server.
Overview
  • CVE ID
  • CVE-2023-3267
  • Assigner
  • trellixpsirt@trellix.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-08-14T05:15:10
  • Last Modified Date
  • 2023-08-22T16:15:46
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:cyberpower:powerpanel_server:*:*:*:*:enterprise:*:*:* 1 OR 2.6.9
History
Created Old Value New Value Data Type Notes
2023-09-06 03:41:42 Added to TrackCVE
2023-09-06 03:41:43 Weakness Enumeration new