Acrel EEMS Enterprise Power Operation and Maintenance Cloud Platform SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 1.3.0. The issue arises in an unknown function of the file '/SubstationWEBV2/main/elecMaxMinAvgValue', where the manipulation of the 'fCircuitids' argument allows for SQL injection. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, which could be used to manipulate database queries and potentially access or modify database information.

Reproduction

To reproduce this vulnerability, send a POST request to '/SubstationWEBV2/main/elecMaxMinAvgValue' with the 'fCircuitids' parameter. Include a crafted SQL payload that exploits the application's SQL query handling. The request should be made with an authorization token and can be sent from a web browser or a tool that allows for HTTP request manipulation.