CVE-2021-32983
https://notcve.org/view.php?id=CVE-2021-32983
A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/Handler_CFG.ashx de Delta Electronics DIAEnergie versiones 1.7.5 y anteriores. La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro keyword antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-38393
https://notcve.org/view.php?id=CVE-2021-38393
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/HandlerAlarmGroup.ashx de Delta Electronics DIAEnergie versiones 1.7.5 y anteriores. La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro agid antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-38391
https://notcve.org/view.php?id=CVE-2021-38391
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/AM/AM_Handler.ashx de Delta Electronics DIAEnergie versión 1.7.5 y anteriores. La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro type antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2021-32991
https://notcve.org/view.php?id=CVE-2021-32991
Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally. Delta Electronics DIAEnergie versiones 1.7.5 y anteriores, son vulnerables a un ataque de tipo cross-site request forgery, que puede permitir a un atacante causar a un usuario realizar una acción no intencionada. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-32955
https://notcve.org/view.php?id=CVE-2021-32955
Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads, which may allow an attacker to remotely execute code. Delta Electronics DIAEnergie versiones 1.7.5 y anteriores, permiten una carga de archivos sin restricciones, lo que puede permitir a un atacante ejecutar código remotamente. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-434: Unrestricted Upload of File with Dangerous Type •