Unauthenticated Remote SQLi Vulnerability in DIAEnergie
CVE-2024-4547

9.8CRITICAL

Key Information:

Vendor: Delta Electronics
Status: Diaenergie
Vendor: CVE Published:; 6 May 2024

Summary

A SQL injection vulnerability has been identified in the Delta Electronics DIAEnergie software, particularly impacting versions v1.10.1.8610 and earlier. This vulnerability occurs when the software's CEBC.exe component processes a 'RecalculateScript' message, which is segmented using the '~' character. An unauthenticated remote attacker may be able to exploit this flaw by manipulating the message's fourth field, potentially executing unauthorized SQL queries. This can lead to unauthorized data access, data modification, or other malicious activities targeting the affected systems.

Affected Version(s)

DIAEnergie 0 <= 1.10.1.8610

References

https://www.tenable.com/security/research/tra-2024-13

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 6, 2024
Vulnerability Reserved
May 6, 2024