Summary
A security researcher discovered that in the affected products a clickjacking vulnerability in the web frontend exists. An attacker could lure the user to click on a malicious website which seems to be the WebUI of the affected product. The affected products are out of support (End-of-Life 2015-12-31).
Impact
A user can be tricked into unwanted actions on other systems while he expects to click on the Webbox WebUI.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| SMA Sunny Webbox | SMA Sunny Webbox | |
| SMA Sunny Webbox with Bluetooth | SMA Sunny Webbox with Bluetooth |
Vulnerabilities
Expand / Collapse allVulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier.
Mitigation
If you can not replace your Webbox by a suitable up-to-date product then isolate the affected network segment by blocking all incoming network traffic. Especially never configure your network to allow a port forwarding to SMA Webbox.
Remediation
Replace out-of-support Sunny Webbox / Sunny Webbox with Bluetooth to a suitable up-to-date product. Please note technical information on the switchover to be found at www.sma-sunny.com/en/how-to-replace-o...
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 20.01.2025 12:00 | Initial revision. |
| 2.0.0 | 12.02.2025 17:48 | Fix: corrected self-reference |
| 2.0.1 | 17.06.2025 08:00 | fixed typo: Got 'vers:all/* ', expected 'vers:all/*', switched to semver versioning scheme |