CVE-2024-11025

Summary

An authenticated attacker with low privileges may use a SQL Injection vulnerability in the affected products administration panel to gain read and write access to a specific log file of the device.

Affected Software

VendorProductVersion RangeStatus
SMASunny Central SC 1760-US0 < 10.01.18.Raffected
SMASunny Central SC 1850-US0 < 10.01.18.Raffected
SMASunny Central SC 2000 EV-US0 < 10.01.18.Raffected
SMASunny Central SC 2000-US0 < 10.01.18.Raffected
SMASunny Central SC-2200-100 < 10.01.18.Raffected
SMASunny Central SC 2200-US0 < 10.01.18.Raffected
SMASunny Central SC-2475-100 < 10.01.18.Raffected
SMASunny Central SC 2500 EV-US0 < 10.01.18.Raffected
SMASunny Central SC 2660 UP0 < 10.01.18.Raffected
SMASunny Central SC 2660 UP-US0 < 10.01.18.Raffected
SMASunny Central SC 2750 EV-US0 < 10.01.18.Raffected
SMASunny Central SC 2750 UP-US0 < 10.01.18.Raffected
SMASunny Central SC 2800 UP0 < 10.01.18.Raffected
SMASunny Central SC 2800 UP-US0 < 10.01.18.Raffected
SMASunny Central SC 2930 UP0 < 10.01.18.Raffected
SMASunny Central SC 2930 UP-US0 < 10.01.18.Raffected
SMASunny Central SC 3060 UP0 < 10.01.18.Raffected
SMASunny Central SC 3060 UP-US0 < 10.01.18.Raffected
SMASunny Central SC 4000 UP0 < 10.01.18.Raffected
SMASunny Central SC 4000 UP-US0 < 10.01.18.Raffected
SMASunny Central SC 4200 UP0 < 10.01.18.Raffected
SMASunny Central SC 4200 UP-US0 < 10.01.18.Raffected
SMASunny Central SC 4400 UP0 < 10.01.18.Raffected
SMASunny Central SC 4400 UP-JP0 < 10.01.18.Raffected
SMASunny Central SC 4400 UP-US0 < 10.01.18.Raffected
SMASunny Central SC 4600 UP0 < 10.01.18.Raffected
SMASunny Central SC 4600 UP-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS-1900-100 < 10.01.18.Raffected
SMASunny Central Storage SCS-2200-100 < 10.01.18.Raffected
SMASunny Central Storage SCS 2300 UP-XT0 < 10.01.18.Raffected
SMASunny Central Storage SCS 2300 UP-XT-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 2400 UP-XT0 < 10.01.18.Raffected
SMASunny Central Storage SCS 2400 UP-XT-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS-2475-100 < 10.01.18.Raffected
SMASunny Central Storage SCS 2530 UP-XT0 < 10.01.18.Raffected
SMASunny Central Storage SCS 2530 UP-XT-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 2630 UP-XT0 < 10.01.18.Raffected
SMASunny Central Storage SCS 2630 UP-XT-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS-2900-100 < 10.01.18.Raffected
SMASunny Central Storage SCS 3450 UP0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3450 UP-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3450 UP-XT0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3450 UP-XT-JP0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3450 UP-XT-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3600 UP0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3600 UP-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3600 UP-XT0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3600 UP-XT-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3800 UP0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3800 UP-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3800 UP-XT0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3800 UP-XT-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3950 UP0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3950 UP-US0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3950 UP-XT0 < 10.01.18.Raffected
SMASunny Central Storage SCS 3950 UP-XT-US0 < 10.01.18.Raffected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References