Details of VAR-202405-0028

ID

VAR-202405-0028

CVE

CVE-2024-4547

TITLE

Delta Electronics DIAEnergie SQL Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-01804

DESCRIPTION

A SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateScript' message, which is splitted into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field. Delta Electronics DIAEnergie is an industrial energy management system launched by Delta Electronics in Taiwan, China. Delta Electronics DIAEnergie has a SQL injection vulnerability. An attacker can use this vulnerability to view, add, modify, or delete information in the backend database

Trust: 1.44

sources: NVD: CVE-2024-4547 // CNVD: CNVD-2025-01804

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-01804

AFFECTED PRODUCTS

vendor:

delta

model:

electronics diaenergie

scope:

lte

version:

<=1.10.1.8610

Trust: 0.6

sources: CNVD: CNVD-2025-01804

CVSS

SEVERITY

CVSSV2

CVSSV3

vulnreport@tenable.com:	CVE-2024-4547
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2025-01804
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-01804
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

vulnreport@tenable.com:	CVE-2024-4547
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-01804 // NVD: CVE-2024-4547

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.0

sources: NVD: CVE-2024-4547

PATCH

title:

Patch for Delta Electronics DIAEnergie SQL Injection Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/652066

Trust: 0.6

sources: CNVD: CNVD-2025-01804

EXTERNAL IDS

db:	NVD	id:	CVE-2024-4547	Trust: 1.6
db:	TENABLE	id:	TRA-2024-13	Trust: 1.6
db:	CNVD	id:	CNVD-2025-01804	Trust: 0.6

sources: CNVD: CNVD-2025-01804 // NVD: CVE-2024-4547

REFERENCES

url:

https://www.tenable.com/security/research/tra-2024-13

Trust: 1.6

sources: CNVD: CNVD-2025-01804 // NVD: CVE-2024-4547

SOURCES

db:	CNVD	id:	CNVD-2025-01804
db:	NVD	id:	CVE-2024-4547

LAST UPDATE DATE

2025-01-24T22:58:15.320000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-01804	date:	2025-01-20T00:00:00
db:	NVD	id:	CVE-2024-4547	date:	2024-05-06T16:00:59.253

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-01804	date:	2025-01-21T00:00:00
db:	NVD	id:	CVE-2024-4547	date:	2024-05-06T14:15:08.330