CVE-2023-28343

Name of the Vulnerable Software and Affected Versions Altenergy Power Control Software version C1.2.5

Description The issue is related to OS command injection, which affects the software via shell metacharacters in the "index.php/management/set timezone" timezone parameter. This is due to the set timezone function in models/management model.php. Exploitation of this issue may allow a remote attacker to elevate privileges and execute arbitrary commands.

Recommendations For version C1.2.5, consider disabling the set timezone function in models/management model.php as a temporary workaround until a patch is available. Restrict access to the "index.php/management/set timezone" endpoint to minimize the risk of exploitation. Avoid using the timezone parameter in the affected API endpoint until the issue is resolved.