CVE-2024-11305 Scanner

The Altenergy Power Control Software is designed to manage and monitor energy systems in residential and commercial environments. It is primarily used by energy solution providers and system integrators for its ability to optimize power distribution and monitor performance remotely. Its applications span across diverse industries, including renewable energy management and building automation.

This scanner detects a SQL Injection vulnerability in the Altenergy Power Control Software. This vulnerability stems from insufficient input validation in the `date` parameter of the `get_status_zigbee` function in `/index.php/display/status_zigbee`. Exploiting this issue allows attackers to manipulate SQL queries by injecting crafted payloads.

The vulnerability resides in the lack of sanitization and validation for the `date` parameter. An attacker can submit malicious SQL commands that execute arbitrary database queries, leading to potential data leakage or alteration. The vulnerable endpoint `/index.php/display/status_zigbee` is exposed to remote exploitation without requiring local access or elevated privileges.

If successfully exploited, this vulnerability could allow attackers to compromise sensitive data, modify records, or disrupt system operations. It may also pave the way for further attacks against the affected system, causing significant security and operational risks for users of the software.

REFERENCES

• https://blog.csdn.net/ZeroDay001/article/details/143878599
• https://cn-sec.com/archives/3447233.html