CVE-2023-31717

CVE-2023-31717 is a SQL injection vulnerability in FUXA, a web-based SCADA/HMI platform used for industrial process visualization. The flaw affects versions up to and including 1.1.12 and stems from insufficient sanitization of the "id" parameter in HTTP POST requests sent as JSON, allowing an attacker to inject arbitrary SQL queries into the underlying SQLite database [2][3].

Exploitation requires no authentication and can be performed over the network by sending a specially crafted POST request to the vulnerable endpoint. The PoC provided uses a blind SQL injection technique with functions like LIKE, CHAR, and UPPER to extract data character by character, demonstrating that an attacker can systematically retrieve confidential information [3].

Successful exploitation enables an attacker to exfiltrate sensitive data stored in the database, such as user credentials, device configurations, or historical process data. Given FUXA's use in industrial environments, this could lead to unauthorized access to SCADA systems and potential operational disruption [1][2].

The vendor has addressed this issue in a subsequent release after 1.1.12. Users are strongly advised to upgrade to the latest version of FUXA. If upgrading is not immediately possible, network access controls should be implemented to restrict access to the web interface [1]. There is no evidence of active exploitation in the wild as of the publication date.