Growatt ≫ Cloud Portal

Unauthenticated attackers can obtain restricted information about a user's smart device collections (i.e., "rooms").

An attacker can change registered email addresses of other users and take over arbitrary accounts.

An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner's username.

An unauthenticated attacker can get users' emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.

An unauthenticated attacker can infer the existence of usernames in the system by querying an API.

An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.

An unauthenticated attacker can obtain a user's plant list by knowing the username.

An authenticated attacker can obtain any plant name by knowing the plant ID.

An unauthenticated attacker can check the existence of usernames in the system by querying an API.

An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.