CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38393
https://notcve.org/view.php?id=CVE-2021-38393
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/HandlerAlarmGroup.ashx de Delta Electronics DIAEnergie versiones 1.7.5 y anteriores. La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro agid antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38391
https://notcve.org/view.php?id=CVE-2021-38391
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER. Se presenta una vulnerabilidad de inyección SQL ciega en el endpoint /DataHandler/AM/AM_Handler.ashx de Delta Electronics DIAEnergie versión 1.7.5 y anteriores. La aplicación no comprueba apropiadamente el valor controlado por el usuario suministrado mediante el parámetro type antes de usarlo como parte de una consulta SQL. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32991
https://notcve.org/view.php?id=CVE-2021-32991
Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally. Delta Electronics DIAEnergie versiones 1.7.5 y anteriores, son vulnerables a un ataque de tipo cross-site request forgery, que puede permitir a un atacante causar a un usuario realizar una acción no intencionada. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32955
https://notcve.org/view.php?id=CVE-2021-32955
Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads, which may allow an attacker to remotely execute code. Delta Electronics DIAEnergie versiones 1.7.5 y anteriores, permiten una carga de archivos sin restricciones, lo que puede permitir a un atacante ejecutar código remotamente. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32967
https://notcve.org/view.php?id=CVE-2021-32967
Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges. Delta Electronics DIAEnergie versiones 1.7.5 y anteriores, pueden permitir a un atacante añadir un nuevo usuario administrativo sin estar autenticado o autorizado, lo que puede permitir al atacante iniciar sesión y usar el dispositivo con privilegios administrativos. • https://us-cert.cisa.gov/ics/advisories/icsa-21-238-03 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •