CWE-287: Improper Authentication vulnerability exists that could cause Denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

Improper Input Validation vulnerability exists in PowerChute Business Edition (software V9.0.x and earlier) which could cause remote code execution when a script is executed during a shutdown event.

Cross-site scripting (XSS) vulnerability in Schneider Electric PowerChute Business Edition before 8.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

The web interface for American Power Conversion (APC) PowerChute Network Shutdown performs all communication in cleartext (base64-encoded), which allows remote attackers to sniff authentication credentials.

Unknown vulnerability in APC PowerChute Business Edition 6.0 through 7.0.1 allows remote attackers to cause a denial of service via unknown attack vectors.

PowerChute plus 5.0.2 creates a "Pwrchute" directory during installation that is shared and world writeable, which could allow remote attackers to modify or create files in that directory.

The HTTP service in American Power Conversion (APC) PowerChute uses a default username and password, which allows remote attackers to gain system access.