CVE-2023-1934

Name of the Vulnerable Software and Affected Versions PnPSCADA (affected versions not specified)

Description The PnPSCADA system is affected by a critical unauthenticated error-based PostgreSQL Injection vulnerability. This security flaw is present within the "hitlogcsv.jsp" endpoint, allowing unauthenticated attackers to engage with the underlying database seamlessly and passively. As a result, malicious actors could gain access to vital information, such as Industrial Control System (ICS) and OT data, alongside other sensitive records like SMS and SMS Logs. The unauthorized database access exposes compromised systems to potential manipulation or breach of essential infrastructure data.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the "hitlogcsv.jsp" endpoint to minimize the risk of exploitation. Additionally, limiting database privileges and monitoring database activity can help mitigate the risk of unauthorized access.