Vincent Mcrae

**Name of the Vulnerable Software and Affected Versions** Solar-Log Base 15 Firmware version 6.0.1 Build 161 **Description** A stored cross-site scripting (XSS) vulnerability in the switch group function under the `/#ilang=DE&b=c smartenergy swgroups` endpoint in the web portal allows an attacker to escalate their privileges. This can be exploited to gain the rights of an installer or PM, which can then be used to gain administrative access to the web portal and execute further attacks. **Recommendations** For Solar-Log Base 15 Firmware version 6.0.1 Build 161, update to a version that includes the fix, as stated by the vendor that the vulnerability has been fixed with 3.0.0-60 11.10.2013 for SL 200, 500, 1000. As a temporary workaround, consider restricting access to the switch group function under the `/#ilang=DE&b=c smartenergy swgroups` endpoint in the web portal until a patch is available.