CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2024-50691

Description: SunGrow iSolarCloud Android app V2.1.6.20241104 and prior suffers from Missing SSL Certificate Validation. The app explicitly ignores certificate errors and is vulnerable to MiTM attacks. Attackers can impersonate the iSolarCloud server and communicate with the Android app.

EPSS Score: 0.02%

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-50689

Description: SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the orgService API model.

EPSS Score: 0.04%

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-50688

Description: SunGrow iSolarCloud Android application V2.1.6.20241017 and prior contains hardcoded credentials. The application (regardless of the user account) and the cloud uses the same MQTT credentials for exchanging the device telemetry.

EPSS Score: 0.06%

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-50687

Description: SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the devService API model.

EPSS Score: 0.04%

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-50686

Description: SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references (IDOR) via the commonService API model.

EPSS Score: 0.04%

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-50685

Description: SunGrow iSolarCloud before the October 31, 2024 remediation, is vulnerable to insecure direct object references (IDOR) via the powerStationService API model.

EPSS Score: 0.04%

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-50684

Description: SunGrow iSolarCloud Android app V2.1.6.20241017 and prior uses an insecure AES key to encrypt client data (insufficient entropy). This may allow attackers to decrypt intercepted communications between the mobile app and iSolarCloud.

EPSS Score: 0.04%

Source: CVE
February 26th, 2025 (4 months ago)
Description: The threat group has a variety of tactics in its toolbox, including double extortion and ransomware-as-a-service.
Source: Dark Reading
February 26th, 2025 (4 months ago)
Description: Summary This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in the asset upload functionality. Insufficient enforcement of allowed file extensions allows an attacker to bypass restrictions and upload executable files, such as PHP scripts. Path Traversal File Deletion: A Path Traversal vulnerability exists in the upload validation process. Due to improper handling of path components, an authenticated user can manipulate the file deletion process to delete arbitrary files on the host system. Mitigation Please update to 5.2.3 or later. Workarounds None References https://owasp.org/www-community/attacks/Code_Injection https://owasp.org/www-community/attacks/Path_Traversal If you have any questions or comments about this advisory: Email us at [email protected] References https://github.com/mautic/mautic/security/advisories/GHSA-73gx-x7r9-77x2 https://github.com/mautic/mautic/commit/75bc488ce98b9c8ec01114984049fc1c42c0cae5 https://github.com/advisories/GHSA-73gx-x7r9-77x2
Source: Github Advisory Database (Composer)
February 26th, 2025 (4 months ago)
Description: Summary This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data. Improper Authorization: An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the "Reporting Permissions > View Own" and "Reporting Permissions > View Others" permissions, which should restrict access to non-System Reports. Mitigation Please update to Mautic 5.2.3 or later Workarounds Disable the API in Mautic. See documentation. References https://cwe.mitre.org/data/definitions/285.html https://docs.mautic.org/en/5.2/configuration/settings.html#api-settings If you have any questions or comments about this advisory: Email us at [email protected] References https://github.com/mautic/mautic/security/advisories/GHSA-8xv7-g2q3-fqgc https://github.com/mautic/mautic/commit/9d7ee57c92502ef77cddb091011c5ffef14b11ee https://github.com/advisories/GHSA-8xv7-g2q3-fqgc
Source: Github Advisory Database (Composer)
February 26th, 2025 (4 months ago)