CVE-2024-50686

CVE-2024-50686 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting SunGrow iSolarCloud prior to the October 31, 2024 remediation. The issue resides in the commonService API model, enabling improper access control to objects based on user-supplied input. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), highlighting its critical severity due to network accessibility and high impacts on confidentiality and integrity.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation allows unauthorized access to sensitive data (high confidentiality impact) and modification of objects (high integrity impact), potentially compromising user-specific resources in the iSolarCloud platform without disrupting availability.

The vendor's security notice advises applying the remediation released on October 31, 2024, to affected iSolarCloud deployments. Additional details are available at https://en.sungrowpower.com/security-notice-detail-2/6112.