1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Delta Electronics
- Equipment: DIAEnergie
- Vulnerabilities: SQL Injection, Path Traversal
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an authenticated attacker with limited privileges to escalate privileges, retrieve confidential information, upload arbitrary files, backdoor the application, and compromise the system on which DIAEnergie is deployed.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Delta Electronics DIAEnergie, an industrial energy management system, are affected:
- DIAEnergie: Versions v1.10.00.005
3.2 Vulnerability Overview
3.2.1 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89
Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the script Handler_CFG.ashx. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.
CVE-2024-34031 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-34031. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/S
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: