Jesse Chick

**Name of the Vulnerable Software and Affected Versions** Dataprobe iBoot PDU version 1.43.03312023 or earlier **Description** The issue concerns the use of hard-coded credentials for interactions with the internal Postgres database and an authentication bypass vulnerability in the REST API due to the mishandling of special characters when parsing credentials. This allows a malicious agent to obtain a valid authorization token, read information relating to the state of the relays and power distribution, and potentially read, modify, or delete arbitrary database records. **Recommendations** For version 1.43.03312023 or earlier, as a temporary workaround, consider restricting access to the REST API and the internal Postgres database to minimize the risk of exploitation. Avoid using special characters when parsing credentials in the REST API until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.