Growatt Cloud Portal
30 CVEs affecting Growatt Cloud Portal. Latest disclosed: 2025-04-15. Critical: 2, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-24297 | Critical | 9.8 | 2025-04-15 | Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal. |
CVE-2025-30510 | Critical | 9.8 | 2025-04-15 | An attacker can upload an arbitrary file instead of a plant image. |
CVE-2025-30511 | High | 8.8 | 2025-04-15 | An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant. |
CVE-2025-27939 | High | 7.5 | 2025-04-15 | An attacker can change registered email addresses of other users and take over arbitrary accounts. |
CVE-2025-31360 | Medium | 6.5 | 2025-04-15 | Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users. |
CVE-2025-30512 | Medium | 6.5 | 2025-04-15 | Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off). |
CVE-2025-27929 | Medium | 5.3 | 2025-04-15 | Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts. |
CVE-2025-24315 | Medium | 5.3 | 2025-04-15 | Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users). |
CVE-2025-27561 | Medium | 5.3 | 2025-04-15 | Unauthenticated attackers can rename "rooms" of arbitrary users. |
CVE-2025-30257 | Medium | 5.3 | 2025-04-15 | Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account. |
CVE-2025-31147 | Medium | 5.3 | 2025-04-15 | Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. |
CVE-2025-27927 | Medium | 5.3 | 2025-04-15 | An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API. |
CVE-2025-24850 | Medium | 5.3 | 2025-04-15 | An attacker can export other users' plant information. |
CVE-2025-25276 | Medium | 5.3 | 2025-04-15 | An unauthenticated attacker can hijack other users' devices and potentially control them. |
CVE-2025-27565 | Medium | 5.3 | 2025-04-15 | An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs. |
CVE-2025-27575 | Medium | 5.3 | 2025-04-15 | An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID. |
CVE-2025-31950 | Medium | 5.3 | 2025-04-15 | An unauthenticated attacker can obtain EV charger energy consumption information of other users. |
CVE-2025-31945 | Medium | 5.3 | 2025-04-15 | An unauthenticated attacker can obtain other users' charger information. |
CVE-2025-26857 | Medium | 5.3 | 2025-04-15 | Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers). |
CVE-2025-27719 | Medium | 5.3 | 2025-04-15 | Unauthenticated attackers can query an API endpoint and get device details. |