CVE-2012-5861 Information

Description

Multiple SQL injection vulnerabilities on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server) Sinapsi eSolar and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allow remote attackers to execute arbitrary SQL commands via (1) the inverterselect parameter in a primo action to dettagliinverter.php or (2) the lingua parameter to changelanguagesession.php.

Reference

http://archives.neohapsis.com/archives/bugtraq/2012-09/0045.html http://www.exploit-db.com/exploits/21273/ http://www.sinapsitech.it/default.asp?active_page_id=78&news_id=88 http://www.us-cert.gov/control_systems/pdf/ICSA-12-325-01.pdf https://exchange.xforce.ibmcloud.com/vulnerabilities/80201