Growatt

growatt

35 CVEs • 3 products

Products (3)

Click to collapse

Toggle

Shine Lan X Firmware

shine_lan-x_firmware

CVEs (35)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-25276 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 6.5 MEDIUM· v3 N/A· v2 An unauthenticated attacker can hijack other users' devices and potentially control them.
CVE-2025-24850 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An attacker can export other users' plant information.
CVE-2025-24315 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
CVE-2025-24297 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.
CVE-2025-31949 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An authenticated attacker can obtain any plant name by knowing the plant ID.
CVE-2025-31941 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.
CVE-2025-31933 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can check the existence of usernames in the system by querying an API.
CVE-2025-31357 1Growatt 1Cloud Portal Nov 14, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can obtain a user's plant list by knowing the username.
CVE-2025-30514 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "scenes").
CVE-2025-30511 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 8.7 HIGH· v4 5.4 MEDIUM· v3 N/A· v2 An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.
CVE-2025-30254 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.
CVE-2025-27939 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 An attacker can change registered email addresses of other users and take over arbitrary accounts.
CVE-2025-27938 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").
CVE-2025-27568 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.
CVE-2025-24487 1Growatt 1Cloud Portal Nov 12, 2025 Apr 15, 2025 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 An unauthenticated attacker can infer the existence of usernames in the system by querying an API.