CVE-2019-13070

MEDIUM

CyberPower PowerPanel Business Edition 3.4.0 - Stored Cross-Site Scripting in SNMP Trap Receivers Form

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13070. PoCs published by Joey Lane.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in CyberPower PowerPanel Business Edition 3.4.0. The SNMP trap receiver configuration fields are not properly sanitized, allowing an authenticated user to inject arbitrary JavaScript code.

Description

A stored XSS vulnerability in the Agent/Center component of CyberPower PowerPanel Business Edition 3.4.0 allows a privileged attacker to embed malicious JavaScript in the SNMP trap receivers form. Upon visiting the /agent/action_recipient Event Action/Recipient page, the embedded code will be executed in the browser of the victim.

Exploits (1)

exploitdb WORKING POC
by Joey Lane · textwebappslinux
https://www.exploit-db.com/exploits/47059

This exploit demonstrates a stored XSS vulnerability in CyberPower PowerPanel Business Edition 3.4.0. The SNMP trap receiver configuration fields are not properly sanitized, allowing an authenticated user to inject arbitrary JavaScript code.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CyberPower PowerPanel Business Edition 3.4.0
Auth required
Prerequisites: Authenticated session · Valid JSESSIONID
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/47059

Scores

CVSS v3 5.4
EPSS 0.0076
EPSS Percentile 50.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
cyberpowersystems/powerpanel 3.4.0
Published Jul 09, 2019
Tracked Since Feb 18, 2026