CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31558 – Delta Electronics DIAEnergie (Update A)
https://notcve.org/view.php?id=CVE-2021-31558
DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “descr” of the script “DIAE_hierarchyHandler.ashx”. DIAEnergie Versiones 1.7.5 y anteriores, es vulnerable a un ataque de tipo cross-site scripting almacenado cuando un usuario no autenticado inyecta código arbitrario en el parámetro "descr" del script "DIAE_hierarchyHandler.ashx" • https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44544 – Delta Electronics DIAEnergie (Update A)
https://notcve.org/view.php?id=CVE-2021-44544
DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-site scripting vulnerabilities when arbitrary code is injected into the parameter “name” of the script “HandlerEnergyType.ashx”. DIAEnergie Versión 1.7.5 y anteriores, es vulnerable a múltiples vulnerabilidades de tipo cross-site scripting cuando se inyecta código arbitrario en el parámetro "name" del script "HandlerEnergyType.ashx" • https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-44471 – Delta Electronics DIAEnergie (Update A)
https://notcve.org/view.php?id=CVE-2021-44471
DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “name” of the script “DIAE_HandlerAlarmGroup.ashx”. DIAEnergie Versión 1.7.5 y anteriores, son vulnerables a ataques de tipo cross-site scripting almacenado cuando un usuario no autenticado inyecta código arbitrario en el parámetro "name" del script "DIAE_HandlerAlarmGroup.ashx" • https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38390
https://notcve.org/view.php?id=CVE-2021-38390
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/HandlerEnergyType.ashx de Delta Electronics DIAEnergie versiones 1.7.5 y anteriores, . La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro egyid antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32983
https://notcve.org/view.php?id=CVE-2021-32983
A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/Handler_CFG.ashx de Delta Electronics DIAEnergie versiones 1.7.5 y anteriores. La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro keyword antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •