CVE-2012-5861

Name of the Vulnerable Software and Affected Versions Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server) versions prior to 2.0.2870 2.2.12 Sinapsi eSolar versions prior to 2.0.2870 2.2.12 Sinapsi eSolar DUO versions prior to 2.0.2870 2.2.12

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the inverterselect parameter in a primo action to "dettagliinverter.php" or the lingua parameter to "changelanguagesession.php".

Recommendations For Sinapsi eSolar Light Photovoltaic System Monitor versions prior to 2.0.2870 2.2.12, update to version 2.0.2870 2.2.12 or later. For Sinapsi eSolar versions prior to 2.0.2870 2.2.12, update to version 2.0.2870 2.2.12 or later. For Sinapsi eSolar DUO versions prior to 2.0.2870 2.2.12, update to version 2.0.2870 2.2.12 or later. As a temporary workaround, consider restricting access to the "dettagliinverter.php" and "changelanguagesession.php" endpoints until a patch is available. Avoid using the inverterselect and lingua parameters in the affected API endpoints until the issue is resolved.