SB2025031444 - Multiple vulnerabilities in Sungrow iSolarCloud Android App

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025031444

SB2025031444 - Multiple vulnerabilities in Sungrow iSolarCloud Android App

Published: March 14, 2025

Security Bulletin ID SB2025031444
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 40% Medium 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-50687)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to multiple insecure direct object references (IDOR) within the devService API model. A remote attacker can gain unauthorized access to user data and potentially modify key identifying data values.


2) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-50686)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to multiple insecure direct object references (IDOR) within the commonService API model. A remote attacker can gain unauthorized access to user data and potentially modify key identifying data values.


3) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-50689)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to multiple insecure direct object references (IDOR) within the orgService API model. A remote attacker can gain unauthorized access to user data and potentially modify key identifying data values.


4) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-50693)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to multiple insecure direct object references (IDOR) within the userService API model. A remote attacker can gain unauthorized access to user data and potentially modify key identifying data values.


5) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-50685)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to multiple insecure direct object references (IDOR) within the powerStationService API model. A remote attacker can gain unauthorized access to user data and potentially modify key identifying data values.


Remediation

Install update from vendor's website.

References