CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2969 – ICSA-22-307-03 Delta Industrial Automation DIALink Path traversal
https://notcve.org/view.php?id=CVE-2022-2969
Delta Industrial Automation DIALink versions prior to v1.5.0.0 Beta 4 uses an external input to construct a pathname intended to identify a file or directory located underneath a restricted parent directory. However, the software does not properly neutralize special elements within the pathname, which can cause the pathname to resolve to a location outside of the restricted directory. Las versiones DIALink de Delta Industrial Automation anteriores a v1.5.0.0 Beta 4 utilizan una entrada externa para construir un nombre de ruta destinado a identificar un archivo o directorio ubicado debajo de un directorio principal restringido. Sin embargo, el software no neutraliza adecuadamente los elementos especiales dentro del nombre de la ruta, lo que puede hacer que el nombre de la ruta se resuelva en una ubicación fuera del directorio restringido. This vulnerability allows remote attackers to create arbitrary files on affected installations of Delta Industrial Automation DIALink. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2660 – Delta Industrial Automation DIALink Hardcoded Cryptographic Key Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-2660
Delta Industrial Automation DIALink versions 1.4.0.0 and prior are vulnerable to the use of a hard-coded cryptographic key which could allow an attacker to decrypt sensitive data and compromise the machine. Las versiones 1.4.0.0 y anteriores de Delta Industrial Automation DIALink son vulnerables al uso de una clave criptográfica codificada que podría permitir a un atacante descifrar datos confidenciales y comprometer la máquina. This vulnerability allows remote attackers to bypass authentication on affected installations of Delta Industrial Automation DIALink. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authorization of requests to the server. The issue results from hardcoding crytographic keys within the product. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-235-02 • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38488 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38488
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter comment of the API events, which may allow an attacker to remotely execute code. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, es vulnerable a un ataque de tipo cross-site scripting porque un atacante autenticado puede inyectar código JavaScript arbitrario en el comentario del parámetro de los eventos API, que puede permitir a un atacante ejecutar código de forma remota • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38416 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38416
Delta Electronics DIALink versions 1.2.4.0 and prior insecurely loads libraries, which may allow an attacker to use DLL hijacking and takeover the system where the software is installed. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, cargan bibliotecas de forma no segura, lo que puede permitir a un atacante usar un secuestro de DLL y tomar el control del sistema donde está instalado el software • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-427: Uncontrolled Search Path Element •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38428 – Delta Electronics DIALink
https://notcve.org/view.php?id=CVE-2021-38428
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API schedule, which may allow an attacker to remotely execute code. Delta Electronics DIALink versiones 1.2.4.0 y anteriores, son vulnerables a un ataque de tipo cross-site scripting porque un atacante autenticado puede inyectar código JavaScript arbitrario en el nombre del parámetro de la programación de la API, que puede permitir a un atacante ejecutar código de forma remota • https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •