Search
Total
2 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-25755 | 1 Enphase | 2 Envoy, Envoy Firmware | 2022-05-03 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered on Enphase Envoy R3.x and D4.x (and other current) devices. The upgrade_start function in /installer/upgrade_start allows remote authenticated users to execute arbitrary commands via the force parameter. | |||||
| CVE-2020-25754 | 1 Enphase | 2 Envoy, Envoy Firmware | 2021-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Enphase Envoy R3.x and D4.x devices. There is a custom PAM module for user authentication that circumvents traditional user authentication. This module uses a password derived from the MD5 hash of the username and serial number. The serial number can be retrieved by an unauthenticated user at /info.xml. Attempts to change the user password via passwd or other tools have no effect. | |||||