CVE-2025-24297

Critical CVSS: 9.3

Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.

Vendor

Product

CWE

Yayın Tarihi

2025-04-15 22:15:15

Güncelleme

2025-11-14 18:14:47

Source Identifier

ics-cert@hq.dhs.gov

KEV Date Added

CWE-79 Cloud Portal CRITICAL Growatt 2025

https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

High

CVE-2025-36750

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the Plant Name field. A HTML payload will be di…

Critical

CVE-2025-36752

Growatt ShineLan-X communication dongle has an undocumented backup account with undocumented credentials which allows si…

High

CVE-2025-36753

The SWD debug interface on the Growatt ShineLan-X communication dongle is available by default, allowing an attacker to…

Critical

CVE-2025-36747

ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish…

High

CVE-2025-36748

ShineLan-X contains a stored cross site scripting (XSS) vulnerability in the local configuration web server. The JavaScr…

Medium

CVE-2025-31147

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.