[Update 17/10/2024] SQL injection in QPLANT by TAI Smart Factory
QPLANT SF, version 1.0.
INCIBE has coordinated the publication of a vulnerability of critical severity that affects QPLANT of TAI Smart Factory, a system for capturing and managing plant data that allows to coordinate, distribute, arbitrate, integrate and represent the information of the main system and the elements of the plant in real time, which has been discovered by Adrián Marín Villar.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2024-9925: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89
There is no reported solution at this time.
[Update 17/10/2024]
The vulnerability is fixed in all operational versions, so as of 17/10/2024, the current version distributed and updates to existing versions have the vulnerability resolved.
CVE-2024-9925: SQL injection vulnerability in TAI Smart Factory's QPLANT. Exploitation of this vulnerability could allow a remote attacker to retrieve all database information by sending a specially crafted SQL query to the ‘email’ parameter on the ‘RequestPasswordChange’ endpoint.
