Altenergy Power Control Software: SQL Injection (CVE-2024-11305) #shorts #breaking

CVE

This CVE relates to a critical vulnerability identified in the Altenergy Power Control Software up to version 20241108. The flaw is located in the get_status_zigbee function within the file /index.php/display/status_zigbee. It involves SQL Injection, a common attack that manipulates a database query through unchecked input fields. Specifically, the issue arises with the 'date' argument, which can be remotely exploited by attackers. Currently, a public exploit is available, increasing the risk of potential attacks on systems running the affected software versions. Users must be vigilant as the vendor has not yet responded to the disclosure.

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

• https://vuldb.com/?id.284914
• https://vuldb.com/?ctiid.284914
• https://vuldb.com/?submit.439800
• https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/HYO%3BY)v%3B4%5C)jLCjp/Altenergy%20has%20a%20SQL%20injection%20vulnerability_status_zigbee.pdf