H3-2024-0061¶

CyberPower PowerPanel Enterprise SQL Injection Vulnerability

Description¶

CyberPower PowerPanel Enterprise prior to v2.8.3 contains a SQL injection vulnerability in the "query_ptask_verbose" function within the MCUDBHelper component. CVE-2024-32739 exists due to insufficient input sanitization in the API endpoint handling configuration queries, allowing crafted SQL statements to be injected via user-supplied parameters. The vulnerability is exploitable by remote attackers without authentication over the network with low attack complexity. The affected component interacts with an underlying SQLite database, and the injection point enables UNION-based SQL injection techniques.

Impact¶

Remote attackers can extract sensitive information from the underlying database, including configuration data and credentials. Compromised power management infrastructure could affect availability of connected systems and devices across an organization.

References¶

• CyberPower PowerPanel Enterprise Release Notes
• CyberPower PowerPanel Enterprise Multiple Vulnerabilities - Tenable Research Advisory
• NVD: NVD - CVE-2024-32739
• NVD: NVD - CVE-2024-32738
• NVD: NVD - CVE-2024-32737