CVE-2023-31719

Vulnerability

Overview

CVE-2023-31719 describes a SQL injection vulnerability in FUXA, a web-based SCADA/HMI platform [1]. The flaw resides in the /api/signin endpoint, where the JSON parameter username is not properly sanitized before being used in database queries. This allows an attacker to inject arbitrary SQL code through a crafted HTTP POST request [3].

Exploitation

Details

An attacker can exploit this vulnerability by sending a POST request to /api/signin with a malicious JSON payload. The proof-of-concept demonstrates injecting a SQL condition such as ' OR 2891=LIKE(...) into the username field [3]. No authentication is required, and the attack only requires network access to the FUXA web interface. The injection occurs before any user validation, making it trivially exploitable.

Impact

Successful exploitation enables an attacker to execute arbitrary SQL commands on the underlying database. This could lead to unauthorized access to sensitive data, including user credentials and system configuration, as well as potential data manipulation or deletion. Given FUXA's role in industrial monitoring, a compromise could have serious operational consequences.

Mitigation

Users of FUXA versions 1.1.12 and earlier should upgrade to a patched version as soon as possible. If an upgrade is not immediately feasible, implement strict input validation and parameterized queries for the /api/signin endpoint. The vendor has not released an official advisory, but the issue is fixed in later releases [1][3].