Vulnerability Description
A non-feature complete authentication mechanism exists in the production application allowing an attacker to bypass all authentication checks if LDAP authentication is selected.An unauthenticated attacker can leverage this vulnerability to log in to the CypberPower PowerPanel Enterprise as an administrator by selecting LDAP authentication from a hidden HTML combo box. Successful exploitation of this vulnerability also requires the attacker to know at least one username on the device, but any password will authenticate successfully.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cyberpower | Powerpanel Server | < 2.6.9 |
Related Weaknesses (CWE)
References
- https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurkingVendor Advisory
- https://www.trellix.com/en-us/about/newsroom/stories/research/the-threat-lurkingVendor Advisory
FAQ
What is CVE-2023-3266?
CVE-2023-3266 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A non-feature complete authentication mechanism exists in the production application allowing an attacker to bypass all authentication checks if LDAP authentication is selected.An unauthenticated atta...
How severe is CVE-2023-3266?
CVE-2023-3266 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-3266?
Check the references section above for vendor advisories and patch information. Affected products include: Cyberpower Powerpanel Server.