Enphase Envoy

13 CVEs affecting Enphase Envoy. Latest disclosed: 2024-08-12. Critical: 3, High: 5.

Top CVEs affecting Enphase Envoy
CVESeverityScorePublishedSummary
CVE-2024-21878Critical9.82024-08-12Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Com…
CVE-2020-25753Critical9.82021-06-16An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. T…
CVE-2019-7678Critical9.82019-02-09A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888.
CVE-2024-21879High8.82024-08-12Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability through an url parameter of an authenticated enpoint in Enpha…
CVE-2020-25755High8.82021-06-16An issue was discovered on Enphase Envoy R3.x and D4.x (and other current) devices. The upgrade_start function in /installer/upgrade_start allows remote authen…
CVE-2020-25754High7.52021-06-16An issue was discovered on Enphase Envoy R3.x and D4.x devices. There is a custom PAM module for user authentication that circumvents traditional user authenti…
CVE-2024-21880High7.22024-08-12Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase…
CVE-2019-7676High7.22019-02-09A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account.
CVE-2024-21877Medium6.52024-08-12Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a url parameter in Enphase IQ Gateway (formerly known as E…
CVE-2023-33869Medium6.32023-06-20 Enphase Envoy versions D7.0.88 is vulnerable to a command injection exploit that may allow an attacker to execute root commands.
CVE-2019-7677Medium6.12019-02-09XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888.
CVE-2020-25752Medium5.32021-06-16An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passw…
CVE-2024-218812024-08-12Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects E…