CVE-2024-11305
published 2024-11-18CVE-2024-11305: A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee…
PriorityP275medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.72%
88.4th percentile
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee of the file /index.php/display/status_zigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| altenergy | power_control_software | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commanddate=2024-11-06%' UNION ALL SELECT 11,CHAR(113)||CHAR(75,101,86,69,115,83,113,89,100,122,121,102,83,83,113,86,84,112,100,103,69,75,80,117,88,109,83,105,89,116,110,120,76,84,73,109,115,100,83,107)||CHAR(113,118,98,98,113),11-- wPIB
otherqKeVEsSqYdzyfSSqVTpdgEKPuXmSiYtnxLTImsdSkqvbbq
- →Detect POST requests to /index.php/display/status_zigbee with a 'date' parameter containing SQL UNION injection syntax (e.g., UNION ALL SELECT, CHAR() concatenation, and comment sequences like '-- ').
- →Successful exploitation returns HTTP 200 with Content-Type text/html and the body contains both the string 'Status(ZigBee)' and the canary string 'qKeVEsSqYdzyfSSqVTpdgEKPuXmSiYtnxLTImsdSkqvbbq'.
- →Use Shodan/FOFA/Google dorks to identify exposed Altenergy Power Control Software instances as potential targets: Shodan 'http.title:"altenergy power control software"', FOFA 'title="altenergy power control software"', Google 'intitle:"altenergy power control software"'.
- →The attack requires authentication (PR:L) and is delivered via a POST request with Content-Type application/x-www-form-urlencoded to the status_zigbee endpoint.
- ·The vulnerability affects Altenergy Power Control Software versions up to 20241108 only; later versions (if patched) would not be affected. ↗
- ·Exploitation requires a low-privilege authenticated session (CVSS PR:L); unauthenticated scanning will not trigger the vulnerability.
- ·The EPSS score of 0.46159 (97.6th percentile) indicates a very high probability of exploitation in the wild; prioritize detection and patching accordingly.
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w5qm-w7h3-7prh: A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108
ghsa_unreviewed·2024-11-18
CVE-2024-11305 [MEDIUM] CWE-74 GHSA-w5qm-w7h3-7prh: A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee of the file /index.php/display/status_zigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
VulnCheck
Altenergy Power Control Software SQL Injection
vulncheck·2024·CVSS 5.3
CVE-2024-11305 [MEDIUM] Altenergy Power Control Software SQL Injection
Altenergy Power Control Software SQL Injection
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee of the file /index.php/display/status_zigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected: Altenergy Power Power Control Software
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerabilit
No detection rules found.
Nuclei
Altenergy Power Control Software - SQL Injection
nuclei·CVSS 5.3
CVE-2024-11305 [MEDIUM] Altenergy Power Control Software - SQL Injection
Altenergy Power Control Software - SQL Injection
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee of the file /index.php/display/status_zigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated remotely.
Template:
id: CVE-2024-11305
info:
name: Altenergy Power Control Software - SQL Injection
author: s4e-io
severity: medium
description: |
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee of the file /index.php/display/status_zigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated remotely.
2024-11-18
Published
Exploited in the wild