Plattform
php
Komponente
growatt-cloud-portal
Behoben in
3.6.0
CVE-2025-24297 describes a critical Cross-Site Scripting (XSS) vulnerability affecting the Growatt Cloud portal. This flaw arises from insufficient server-side input validation, enabling attackers to inject malicious JavaScript code into users' personal spaces within the portal. Versions 0.0 through 3.6.0 are vulnerable, and a patch is available in version 3.6.0.
Successful exploitation of CVE-2025-24297 allows an attacker to execute arbitrary JavaScript code within the context of a victim's Growatt Cloud portal session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, and defacement of the user's personal space. Attackers could potentially gain access to sensitive data related to solar energy production and system configurations. The impact is particularly severe because the portal likely handles sensitive user information and control over connected devices.
CVE-2025-24297 was publicly disclosed on 2025-04-15. The CVSS score of 9.8 (CRITICAL) indicates a high probability of exploitation. No public proof-of-concept (PoC) code has been observed as of this writing, but the ease of XSS exploitation suggests that it is likely to be developed. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting Growatt Cloud portal users.
Growatt Cloud portal users running versions 0.0 through 3.6.0 are at risk. This includes solar energy system owners, installers, and monitoring service providers who rely on the portal for managing and analyzing their solar energy systems. Shared hosting environments where multiple users share the same Growatt Cloud portal instance are particularly vulnerable.
• php / web:
curl -I 'https://your-growatt-portal.com/personal_space?input=<script>alert(1)</script>' | grep -i 'content-security-policy'• generic web:
curl -s 'https://your-growatt-portal.com/personal_space?input=<script>alert(1)</script>' | grep 'alert(1)'disclosure
Exploit-Status
EPSS
0.37% (58% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-24297 is to immediately upgrade the Growatt Cloud portal to version 3.6.0 or later. If upgrading is not immediately feasible, consider implementing strict Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources from which scripts can be loaded. Additionally, carefully review and sanitize all user-supplied input before rendering it in the portal. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a user's personal space and verifying that it is properly sanitized and does not execute.
Actualice el portal Growatt Cloud a la versión 3.6.0 o superior. Esta versión incluye validación de entrada del lado del servidor para prevenir la inyección de código JavaScript malicioso. Consulte las notas de la versión para obtener más detalles sobre la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-24297 is a critical Cross-Site Scripting (XSS) vulnerability in Growatt Cloud portal versions 0.0 - 3.6.0, allowing attackers to inject malicious JavaScript code.
If you are using Growatt Cloud portal versions 0.0 through 3.6.0, you are potentially affected by this vulnerability.
Upgrade to Growatt Cloud portal version 3.6.0 or later to resolve this vulnerability. Implement CSP headers as a temporary workaround.
While no active exploitation has been confirmed, the high CVSS score suggests a high probability of exploitation. Monitor for any signs of attacks.
Refer to the official Growatt security advisory for detailed information and updates regarding CVE-2025-24297.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.