CVE-2024-21880

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway (formerly known as Enphase) allows OS Command Injection.This issue affects Envoy: 4.x <= 7.x
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*

History

23 Aug 2024, 17:38

Type Values Removed Values Added
First Time Enphase
Enphase iq Gateway
Enphase iq Gateway Firmware
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.2
Summary
  • (es) La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando ("Inyección de comando") a través del parámetro URL de un punto autenticado en Enphase IQ Gateway (anteriormente conocido como Enphase) permite la inyección de comando del sistema operativo. Este problema afecta a Envoy: 4.x &lt;= 7.x
References () https://csirt.divd.nl/CVE-2024-21880 - () https://csirt.divd.nl/CVE-2024-21880 - Third Party Advisory
References () https://csirt.divd.nl/DIVD-2024-00011 - () https://csirt.divd.nl/DIVD-2024-00011 - Third Party Advisory
References () https://enphase.com/cybersecurity/advisories/ensa-2024-5 - () https://enphase.com/cybersecurity/advisories/ensa-2024-5 - Vendor Advisory
CWE CWE-78
CPE cpe:2.3:h:enphase:iq_gateway:-:*:*:*:*:*:*:*
cpe:2.3:o:enphase:iq_gateway_firmware:*:*:*:*:*:*:*:*

12 Aug 2024, 13:41

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-12 13:38

Updated : 2024-08-23 17:38


NVD link : CVE-2024-21880

Mitre link : CVE-2024-21880

CVE.ORG link : CVE-2024-21880


JSON object : View

Products Affected

enphase

  • iq_gateway_firmware
  • iq_gateway
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')