CVE-2022-33175

Name of the Vulnerable Software and Affected Versions Power Distribution Units running on Powertek firmware versions prior to 3.30.30

Description The issue concerns an insecure permissions setting on the user.token field, which is accessible through the "/cgi/get param.cgi" HTTP API endpoint. This allows disclosure of active session IDs of currently logged-in administrators. An attacker can reuse the session ID to impersonate the administrator, enabling them to read the cleartext password or reconfigure the device.

Recommendations For versions prior to 3.30.30, update to version 3.30.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/cgi/get param.cgi" API endpoint to minimize the risk of exploitation. Avoid using the user.token field in the affected API endpoint until the issue is resolved.