Enphase Envoy
13 CVEs affecting Enphase Envoy. Latest disclosed: 2024-08-12. Critical: 3, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-21878 | Critical | 9.8 | 2024-08-12 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Com… |
CVE-2020-25753 | Critical | 9.8 | 2021-06-16 | An issue was discovered on Enphase Envoy R3.x and D4.x devices with v3 software. The default admin password is set to the last 6 digits of the serial number. T… |
CVE-2019-7678 | Critical | 9.8 | 2019-02-09 | A directory traversal vulnerability was discovered in Enphase Envoy R3.*.* via images/, include/, include/js, or include/css on TCP port 8888. |
CVE-2024-21879 | High | 8.8 | 2024-08-12 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability through an url parameter of an authenticated enpoint in Enpha… |
CVE-2020-25755 | High | 8.8 | 2021-06-16 | An issue was discovered on Enphase Envoy R3.x and D4.x (and other current) devices. The upgrade_start function in /installer/upgrade_start allows remote authen… |
CVE-2020-25754 | High | 7.5 | 2021-06-16 | An issue was discovered on Enphase Envoy R3.x and D4.x devices. There is a custom PAM module for user authentication that circumvents traditional user authenti… |
CVE-2024-21880 | High | 7.2 | 2024-08-12 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability via the url parameter of an authenticated enpoint in Enphase… |
CVE-2019-7676 | High | 7.2 | 2019-02-09 | A weak password vulnerability was discovered in Enphase Envoy R3.*.*. One can login via TCP port 8888 with the admin password for the admin account. |
CVE-2024-21877 | Medium | 6.5 | 2024-08-12 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability through a url parameter in Enphase IQ Gateway (formerly known as E… |
CVE-2023-33869 | Medium | 6.3 | 2023-06-20 | Enphase Envoy versions D7.0.88 is vulnerable to a command injection exploit that may allow an attacker to execute root commands. |
CVE-2019-7677 | Medium | 6.1 | 2019-02-09 | XSS exists in Enphase Envoy R3.*.* via the profileName parameter to the /home URI on TCP port 8888. |
CVE-2020-25752 | Medium | 5.3 | 2021-06-16 | An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passw… |
CVE-2024-21881 | | 2024-08-12 | Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects E… |