JVNVU#94591337
Multiple vulnerabilities in SHARP Energy Management Controller with Cloud Services

Overview

Energy Management Controller with Cloud Services provided by SHARP CORPORATION contains multiple vulnerabilities.

Products Affected

• Energy Management Controller with Cloud Services
  • JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier

Description

Energy Management Controller with Cloud Services provided by SHARP CORPORATION contains multiple vulnerabilities listed below.

• Improper authentication (CWE-287) - CVE-2024-23783

  CVSS v3

  CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

  Base Score: 7.1

• Improper access control (CWE-284) - CVE-2024-23784

  CVSS v3

  CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

  Base Score: 4.7

• Cross-site request forgery (CWE-352) - CVE-2024-23785

  CVSS v3

  CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

  Base Score: 6.1

• Stored cross-site scripting (CWE-79) - CVE-2024-23786

  CVSS v3

  CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

  Base Score: 5.2

• Path traversal (CWE-22) - CVE-2024-23787

  CVSS v3

  CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

  Base Score: 7.4

• Server-side request forgery (CWE-918) - CVE-2024-23788

  CVSS v3

  CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

  Base Score: 4.7

• OS command injection (CWE-78) - CVE-2024-23789

  CVSS v3

  CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

  Base Score: 9.6

Impact

CVE-2024-23783
A network-adjacent unauthenticated attacker may access the affected product without authentication

CVE-2024-23784
A network-adjacent unauthenticated attacker may obtain a user name and its hashed password which are displayed on the management page of the affected product

CVE-2024-23785
A remote unauthenticated attacker may change the product settings

CVE-2024-23786
An arbitrary script may be executed on the web browser of the user who is accessing the management page of the affected product

CVE-2024-23787
A network-adjacent unauthenticated attacker may obtain an arbitrary file in the affected product

CVE-2024-23788
A network-adjacent unauthenticated attacker may send an arbitrary HTTP request (GET) from the affected product

CVE-2024-23789
A network-adjacent unauthenticated attacker may execute an arbitrary command on the affected product

Solution

Update the software
Update Energy Management Controller with Cloud Services to Ver.B0.2.0.0.
The automatic update will be applied if Energy Management Controller with Cloud Services is connected to internet.

Apply workaround
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

• Do not connect the product to internet directly, and user it within the network protected by using a router, etc.
• Use stronger encryption standard when using a wireless LAN router
• Change the factory default administrative password
• Keep the firmware the latest state by applying the firmware update periodically