The iSolarCloud orgService API is vulnerable to Insecure Direct Object References (IDOR). Attackers can exploit this issue to access and modify organizational data without proper authentication, potentially leading to unauthorized modifications of organization-wide settings, exposure of sensitive business data, and disruption of services.
Affected Versions
Vulnerable: The iSolarCloud commonService vulnerability, which was remediated on October 31, 2024, had exposed the system to security risks before its mitigation.
Not Affected: The iSolarCloud commonService vulnerability, which was remediated on October 31, 2024, has posed no risk to the system since its resolution.
Vulnerability Rating
CVE-2024-50689:8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
The scoring is based on the CVSS 3.1 standard. The scoring criteria can be referenced at
(https://www.first.org/cvss/calculator/3.1)
Mitigation and Remediation
Exploitation Status
No known exploitation in the wild.
Acknowledgments
This vulnerability was discovered and reported by Forescout Technologies.
Statement
All software updates, patches, and documentation provided by Sungrow Power Supply Co., Ltd. are the proprietary work of Sungrow. These materials may only be used for product maintenance and security improvements. Any unauthorized modification, distribution, decompilation, or reverse engineering is strictly prohibited.
Sungrow makes no express or implied warranties regarding the information provided, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement. Sungrow shall not be liable for any direct, indirect, incidental, or consequential damages arising from the use of this document or associated software.
Sungrow reserves the right to update or modify this document at any time without prior notice. Customers are responsible for implementing security updates in a timely manner to protect their systems.