CVE-2024-21880

Aug. 12, 2024, 1:41 p.m.

Tags

CWE-77
2024-08-12
csirt@divd.nl
CVE-2024-21880

Product(s) Impacted

Enphase IQ Gateway

  • 4.x
  • 5.x
  • 6.x
  • 7.x

Description

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.This issue affects Envoy: 4.x <= 7.x

Weaknesses

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE ID: 77

Date

Published: Aug. 12, 2024, 1:38 p.m.

Last Modified: Aug. 12, 2024, 1:41 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

csirt@divd.nl

References

https://csirt.divd.nl/CVE-2024-21880
csirt@divd.nl
https://csirt.divd.nl/DIVD-2024-00011
csirt@divd.nl
https://enphase.com/cybersecurity/advisories/ensa-2024-5
csirt@divd.nl