CVE-2019-19229

Name of the Vulnerable Software and Affected Versions Fronius Solar Inverter devices versions prior to 3.14.1 (HM 1.12.1)

Description The issue allows for directory traversal via the action=download&filename= parameter in the admincgi-bin/service.fcgi endpoint. This could potentially lead to unauthorized access to sensitive files on the device.

Recommendations For versions prior to 3.14.1 (HM 1.12.1), update to version 3.14.1 (HM 1.12.1) or later to resolve the issue. As a temporary workaround, consider restricting access to the admincgi-bin/service.fcgi endpoint to minimize the risk of exploitation. Avoid using the filename parameter in the affected endpoint until the issue is resolved.