CVE-2024-11305
Published: 18 November 2024
Summary
CVE-2024-11305 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A SQL injection vulnerability exists in Altenergy Power Control Software up to version 20241108. The flaw resides in the get_status_zigbee function within the /index.php/display/status_zigbee endpoint, where unsanitized input to the date argument is passed directly into database queries. The issue is tracked under CWE-74 and CWE-89 and carries a CVSS 4.0 score of 5.3 reflecting network-accessible, low-privilege exploitation with limited impact on confidentiality, integrity, and availability.
An authenticated remote attacker can supply crafted date values to execute arbitrary SQL statements against the underlying database. Successful exploitation may allow extraction or modification of application data without requiring user interaction, and a public proof-of-concept has been released.
No vendor patch or official advisory has been issued; the vendor was notified prior to disclosure but did not respond. Public references consist of a detailed technical write-up and entries in the Vuldb database.
EPSS for the CVE rose from lower values to a peak of 0.6399 on 2025-12-11 before receding to the current 0.4646, indicating a period of increased exploitation interest after initial publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33717
Vulnerability details
A vulnerability classified as critical was found in Altenergy Power Control Software up to 20241108. This vulnerability affects the function get_status_zigbee of the file /index.php/display/status_zigbee. The manipulation of the argument date leads to sql injection. The attack can be initiated…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Validates query inputs to prevent SQL syntax or command manipulation.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.