Multiple Vulnerabilities in Badger Meter's Monitool

Vulnerability

CVE-2024-1301 is a SQL injection vulnerability in Badger Meter Monitool affecting versions 4.6.3 and earlier [1]. The flaw exists in the login functionality, where the j_username parameter is directly concatenated into SQL queries without sanitization [1]. No special privileges or configuration changes are required—the vulnerable code path is reachable by default in the web interface [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability remotely over the network. The attacker crafts a malicious SQL payload and sends it as the value of the j_username parameter in an HTTP request to the server [1]. Since the application fails to properly escape or parameterize the input, the attacker's SQL commands are executed against the backend database [1].

Impact

Successful exploitation allows a remote attacker to retrieve all information stored in the database [1]. Given the CVSS 9.8 (Critical) score with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the impact extends to full confidentiality, integrity, and availability compromise [1]. The attacker could extract sensitive data, modify database contents, or potentially execute operating-system-level commands depending on database permissions and configuration.

Mitigation

Badger Meter has released a fix in version 4.7 and later of Monitool [1]. Users should upgrade to 4.7 or the latest available version immediately [1]. No workarounds are documented in the available reference. All affected organizations should prioritize patching due to the critical severity and known exploitability.