CVE-2021-38428 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38428
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API schedule, which may allow an attacker to remotely execute code. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, son vulnerables a un ataque de tipo cross-site scripting porque un atacante autenticado puede inyectar código JavaScript arbitrario en el nombre del parámetro de la programación de la API, que puede permitir a un atacante ejecutar código de forma remota • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-38420 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38420
Delta Electronics DIALink versions 1.2.4.0 and prior default permissions give extensive permissions to low-privileged user accounts, which may allow an attacker to modify the installation directory and upload malicious files. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, los permisos predeterminados otorgan amplios permisos a cuentas de usuario con pocos privilegios, que puede permitir a un atacante modificar el directorio de instalación y cargar archivos maliciosos • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-276: Incorrect Default Permissions CWE-427: Uncontrolled Search Path Element •
CVE-2021-38407 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38407
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API devices, which may allow an attacker to remotely execute code. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, son vulnerables a un ataque de tipo cross-site scripting porque un atacante autenticado puede inyectar código JavaScript arbitrario en el parámetro deviceName de la API devices, que puede permitir a un atacante ejecutar código de forma remota • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-38424 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38424
The tag interface of Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to an attacker injecting formulas into the tag data. Those formulas may then be executed when it is opened with a spreadsheet application. La interfaz de etiquetas de Delta Electronics DIALink versiones 1.2.4.0 y anteriores, es vulnerable a que un atacante inyecte fórmulas en los datos de las etiquetas. Esas fórmulas podrían ejecutarse cuando es abierto con una aplicación de hoja de cálculo • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2021-38403 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38403
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter supplier of the API maintenance, which may allow an attacker to remotely execute code. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, es vulnerable a un ataque de tipo cross-site scripting porque un atacante autenticado puede inyectar código JavaScript arbitrario en el parámetro proveedor del mantenimiento de la API, que puede permitir a un atacante ejecutar código de forma remota • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •