Growatt ≫ Cloud Portal

Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.

Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).

Unauthenticated attackers can rename "rooms" of arbitrary users.

Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.

Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.

Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).

An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.

Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.

An attacker can upload an arbitrary file instead of a plant image.