This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Enel X Waybox 3.0 has a critical flaw in its Web Admin App. Attackers can send arbitrary SQL requests via `/admin/versions.php`. π **Consequences**: Full compromise of the internal database.β¦
π‘οΈ **Root Cause**: **SQL Injection (SQLi)**. Specifically mapped to **CWE-89**. The application fails to sanitize inputs in the `versions.php` endpoint, allowing direct manipulation of the backend database.
Q3Who is affected? (Versions/Components)
π **Affected Product**: Enel X **Waybox 3.0** (Home Charging Station). π¦ **Component**: The internal Web Management Application. β οΈ **Vendor**: Enel X.β¦
π **Attacker Capabilities**: Since it's SQLi, hackers can: π **Read** all internal data. ποΈ **Delete/Modify** records. π₯ **Execute** administrative commands on the DB.β¦
π **Public Exploit**: The provided data shows `pocs: []`, meaning **no specific PoC code** is listed in this dataset. π **However**, SQLi is a well-known technique.β¦
π **Self-Check**: Scan your network for Enel X Waybox devices. π΅οΈββοΈ **Test**: Attempt to access `/admin/versions.php`. π§ͺ **Verify**: If the endpoint is reachable without auth, it is vulnerable.β¦
π§ **No Patch Workaround**: 1. **Isolate**: Block access to the device's admin interface via Firewall. 2. **Disable**: Turn off the Web Admin feature if possible. 3.β¦
π₯ **Urgency**: **CRITICAL**. π¨ **Priority**: **P1**. With a CVSS of 10.0 and no authentication required, this is an immediate threat. Patch or isolate these devices **NOW**.