Details of VAR-202405-0030

ID

VAR-202405-0030

CVE

CVE-2024-4548

TITLE

Delta Electronics DIAEnergie SQL Injection Vulnerability (CNVD-2024-29663)

Trust: 0.6

sources: CNVD: CNVD-2024-29663

DESCRIPTION

An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field. Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, a Taiwanese company, used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency. Delta Electronics DIAEnergie v1.10.1.8610 and earlier versions have a SQL injection vulnerability

Trust: 1.44

sources: NVD: CVE-2024-4548 // CNVD: CNVD-2024-29663

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-29663

AFFECTED PRODUCTS

vendor:

delta

model:

electronics delta electronics diaenergie

scope:

lte

version:

<=1.10.1.8610

Trust: 0.6

sources: CNVD: CNVD-2024-29663

CVSS

SEVERITY

CVSSV2

CVSSV3

vulnreport@tenable.com:	CVE-2024-4548
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2024-29663
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-29663
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

vulnreport@tenable.com:	CVE-2024-4548
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2024-29663 // NVD: CVE-2024-4548

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.0

sources: NVD: CVE-2024-4548

PATCH

title:

Patch for Delta Electronics DIAEnergie SQL Injection Vulnerability (CNVD-2024-29663)

url:

https://www.cnvd.org.cn/patchInfo/show/563801

Trust: 0.6

sources: CNVD: CNVD-2024-29663

EXTERNAL IDS

db:	TENABLE	id:	TRA-2024-13	Trust: 1.6
db:	NVD	id:	CVE-2024-4548	Trust: 1.6
db:	CNVD	id:	CNVD-2024-29663	Trust: 0.6

sources: CNVD: CNVD-2024-29663 // NVD: CVE-2024-4548

REFERENCES

url:

https://www.tenable.com/security/research/tra-2024-13

Trust: 1.6

sources: CNVD: CNVD-2024-29663 // NVD: CVE-2024-4548

SOURCES

db:	CNVD	id:	CNVD-2024-29663
db:	NVD	id:	CVE-2024-4548

LAST UPDATE DATE

2024-08-14T14:01:16.423000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-29663	date:	2024-06-28T00:00:00
db:	NVD	id:	CVE-2024-4548	date:	2024-05-06T16:00:59.253

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-29663	date:	2024-06-28T00:00:00
db:	NVD	id:	CVE-2024-4548	date:	2024-05-06T14:15:08.533