CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38422 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38422
Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, almacena información confidencial en texto sin cifrar, que puede permitir a un atacante tener un amplio acceso al directorio de la aplicación y escalar privilegios • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38418 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38418
Delta Electronics DIALink versions 1.2.4.0 and prior runs by default on HTTP, which may allow an attacker to be positioned between the traffic and perform a machine-in-the-middle attack to access information without authorization. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, son ejecutadas por defecto en HTTP, lo que puede permitir a un atacante situarse entre el tráfico y llevar a cabo un ataque de tipo machine-in-the-middle para acceder a la información sin autorización • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38411 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38411
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter deviceName of the API modbusWriter-Reader, which may allow an attacker to remotely execute code. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, es vulnerable a un ataque de tipo cross-site scripting porque un atacante autenticado puede inyectar código JavaScript arbitrario en el parámetro deviceName de la API modbusWriter-Reader, lo que puede permitir a un atacante ejecutar código de forma remota • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38390
https://notcve.org/view.php?id=CVE-2021-38390
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/HandlerEnergyType.ashx de Delta Electronics DIAEnergie versiones 1.7.5 y anteriores, . La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro egyid antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32983
https://notcve.org/view.php?id=CVE-2021-32983
A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/Handler_CFG.ashx de Delta Electronics DIAEnergie versiones 1.7.5 y anteriores. La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro keyword antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •