Attacker Gains Read and Write Access to Log Files via SQL Injection
CVE-2024-11025

5.4MEDIUM

Key Information:

Vendor: Sma
Status: Sunny Central Sc 1760-us; Sunny Central Sc 1850-us; Sunny Central Sc 2000 Ev-us; Sunny Central Sc 2000-us
Vendor: CVE Published:; 27 November 2024

What is CVE-2024-11025?

An authenticated attacker with low privileges may use a SQL Injection vulnerability in the affected products administration panel to gain read and write access to a specific log file of the device.

Affected Version(s)

Sunny Central SC 1760-US 0 < 10.01.18.R

Sunny Central SC 1850-US 0 < 10.01.18.R

Sunny Central SC 2000 EV-US 0 < 10.01.18.R

References

https://certvde.com/en/advisories/VDE-2024-074

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 27, 2024
Vulnerability Reserved
Nov 8, 2024

Credit

Pierre Martin from Synacktiv