The TDengine DAQ storage connector's escapeTdString at server/runtime/storage/tdengine/index.js:10 doubles single quotes but does not escape backslashes. TDengine's SQL parser treats ' as a literal single quote inside a string, so a tag id of the form x' OR 1=1-- escapes the first single quote, lets the doubled quote close the string, and appends an injected clause that runs on the TDengine server. An attacker (Alice) sends the crafted sids value through GET /api/daq or the Socket.IO DAQ QUERY event and reads every row in fuxa.meters, which holds the historical tag values of every PLC the FUXA instance records.

The TDengine DAQ storage connector did not correctly sanitize user-controlled values before including them in SQL queries.

A specially crafted tag identifier could bypass the intended escaping logic and alter the query executed against the TDengine database.

This could allow unauthorized access to historical DAQ data stored in TDengine, including recorded tag values and related metadata.

The issue has been fixed in version 1.3.2 by improving input escaping in the TDengine connector.

An attacker with network access to a FUXA instance configured with TDengine as the DAQ backend reads the entire historical tag-value archive: every PLC tag the instance has recorded, plus the associated device ids and device names. Turning on authentication does not close the gap: the Socket.IO DAQ QUERY handler has no authorization check, and /api/daq accepts guest-level requests. No login is needed in the default configuration.

A fix is available at https://github.com/frangoteam/FUXA/releases/tag/v1.3.2.