CVE-2021-46416

Published: Apr 7, 2022Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.

Affected (1)

Products: Sma: Sunny Tripower Firmware

Sma

1 product

Sunny Tripower Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sma Sunny Tripower Firmware	Version 3.10.16.r

Running on/with	Platform Versions
Sma Sunny Tripower	Version 5.0

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (6)

http://packetstormsecurity.com/files/166670/SAM-SUNNY-TRIPOWER-5.0-Insecure-Direct-Object-Reference.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://drive.google.com/drive/folders/1BPULhDC_g__seH_VnQlVtkrKdOLkXdzV?usp=sharing

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.sma.de/en/products/solarinverters/sunny-tripower-30-40-50-60.html

Source: cve@mitre.org

ProductVendor Advisory

http://packetstormsecurity.com/files/166670/SAM-SUNNY-TRIPOWER-5.0-Insecure-Direct-Object-Reference.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://drive.google.com/drive/folders/1BPULhDC_g__seH_VnQlVtkrKdOLkXdzV?usp=sharing

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.sma.de/en/products/solarinverters/sunny-tripower-30-40-50-60.html

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.