CVE-2023-46344

Published: Feb 2, 2024Modified: May 7, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

A vulnerability in Solar-Log Base 15 Firmware 6.0.1 Build 161, and possibly other Solar-Log Base products, allows an attacker to escalate their privileges by exploiting a stored cross-site scripting (XSS) vulnerability in the switch group function under /#ilang=DE&b=c_smartenergy_swgroups in the web portal. The vulnerability can be exploited to gain the rights of an installer or PM, which can then be used to gain administrative access to the web portal and execute further attacks. NOTE: The vendor states that this vulnerability has been fixed with 3.0.0-60 11.10.2013 for SL 200, 500, 1000 / not existing for SL 250, 300, 1200, 2000, SL 50 Gateway, SL Base.

Affected (1)

Products: Solar Log: 2000 Pm+ Firmware

1 product

2000 Pm+ Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Solar Log 2000 Pm+ Firmware	Version 15.10.2019

Running on/with	Platform Versions
Solar Log 2000 Pm+	All versions

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (5)

http://solar-log.com

Source: cve@mitre.org

Product

https://github.com/vinnie1717/CVE-2023-46344/blob/main/Solar-Log%20XSS

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.solar-log.com/en/support/firmware-database-1

Source: cve@mitre.org

http://solar-log.com

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://github.com/vinnie1717/CVE-2023-46344/blob/main/Solar-Log%20XSS

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.