All the vulnerabilites related to Delta Electronics - DIAEnergie
cve-2024-25567
Vulnerability from cvelistv5
Published
2024-03-21 22:22
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-25567", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-01T20:55:05.307378Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-01T20:55:20.449Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:44:09.621Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePath traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.\u003c/span\u003e\n\n" } ], "value": "\nPath traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper limitation of a pathname to a restricted directory (\u0027Path traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-21T22:22:17.780Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie Path traversal", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-25567", "datePublished": "2024-03-21T22:22:17.780Z", "dateReserved": "2024-03-12T15:07:02.581Z", "dateUpdated": "2024-08-01T23:44:09.621Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-28045
Vulnerability from cvelistv5
Published
2024-03-21 22:24
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
Improper neutralization of input within the affected product could lead to cross-site scripting.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-28045", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-27T14:14:37.320637Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-04T18:04:05.637Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T00:48:47.822Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eImproper neutralization of input within the affected product could lead to cross-site scripting.\u003c/span\u003e\n\n" } ], "value": "\nImproper neutralization of input within the affected product could lead to cross-site scripting.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper neutralization of input during web page generation (\u0027Cross-site scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-21T22:24:12.286Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie Cross-site scripting", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-28045", "datePublished": "2024-03-21T22:24:12.286Z", "dateReserved": "2024-03-12T15:07:02.565Z", "dateUpdated": "2024-08-02T00:48:47.822Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-34033
Vulnerability from cvelistv5
Published
2024-05-03 00:20
Modified
2024-08-12 20:08
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie has insufficient input validation which makes it possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02 | government-resource |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 1.10.00.005 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThan": "1.10.01.004", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-34033", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-06-26T17:53:32.429375Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-12T20:08:16.443Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T02:42:59.870Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "government-resource", "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie ", "vendor": "Delta Electronics", "versions": [ { "status": "affected", "version": "1.10.00.005" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta Electronics DIAEnergie has insufficient input validation which makes it possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n" } ], "value": "\nDelta Electronics DIAEnergie has insufficient input validation which makes it possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-03T00:20:03.319Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "government-resource" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta Electronics recommends users update to DIAEnergie v1.10.01.004 to mitigate these vulnerabilities. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta Electronics recommends users update to DIAEnergie v1.10.01.004 to mitigate these vulnerabilities. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents.\n\n" } ], "source": { "discovery": "UNKNOWN" }, "title": "Path Traversal vulnerability in Delta Electronics DIAEnergie ", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-34033", "datePublished": "2024-05-03T00:20:03.319Z", "dateReserved": "2024-04-29T17:56:18.036Z", "dateUpdated": "2024-08-12T20:08:16.443Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26013
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 19:41
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_dmdsetHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:56:36.937Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_dmdsetHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:07", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in DIAE_dmdsetHandler.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26013", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in DIAE_dmdsetHandler.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_dmdsetHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26013", "datePublished": "2022-03-29T16:37:07.369033Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-16T19:41:45.500Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-4548
Vulnerability from cvelistv5
Published
2024-05-06 13:51
Modified
2024-08-01 20:47
Severity ?
EPSS score ?
Summary
An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThanOrEqual": "1.10.1.8610", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-4548", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-05-13T13:41:00.312856Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-20T20:06:39.622Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T20:47:40.056Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.tenable.com/security/research/tra-2024-13" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "1.10.1.8610", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "An SQLi vulnerability exists in\u0026nbsp;Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a \u0027RecalculateHDMWYC\u0027 message, which is split into 4 fields using the \u0027~\u0027 character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field." } ], "value": "An SQLi vulnerability exists in\u00a0Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a \u0027RecalculateHDMWYC\u0027 message, which is split into 4 fields using the \u0027~\u0027 character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field." } ], "impacts": [ { "capecId": "CAPEC-66", "descriptions": [ { "lang": "en", "value": "CAPEC-66 SQL Injection" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-06T13:51:07.049Z", "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable" }, "references": [ { "url": "https://www.tenable.com/security/research/tra-2024-13" } ], "source": { "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "assignerShortName": "tenable", "cveId": "CVE-2024-4548", "datePublished": "2024-05-06T13:51:07.049Z", "dateReserved": "2024-05-06T13:35:43.319Z", "dateUpdated": "2024-08-01T20:47:40.056Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1367
Vulnerability from cvelistv5
Published
2022-05-02 18:02
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in Handler_TCV.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:05.645Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in Handler_TCV.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:02:31", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1367", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in Handler_TCV.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1367", "datePublished": "2022-05-02T18:02:31", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:05.645Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-25937
Vulnerability from cvelistv5
Published
2024-03-21 22:09
Modified
2024-08-14 15:43
Severity ?
EPSS score ?
Summary
SQL injection vulnerability exists in the script DIAE_tagHandler.ashx.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:delta_electronics:diaenergie:*:*:*:*:*:*:*:*" ], "defaultStatus": "unaffected", "product": "diaenergie", "vendor": "delta_electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-25937", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-08-14T15:24:57.957124Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-14T15:43:50.463Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:52:06.346Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSQL injection vulnerability exists in the script DIAE_tagHandler.ashx.\u003c/span\u003e\n\n" } ], "value": "\nSQL injection vulnerability exists in the script DIAE_tagHandler.ashx.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-21T22:09:33.976Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-25937", "datePublished": "2024-03-21T22:09:33.976Z", "dateReserved": "2024-03-12T15:07:02.639Z", "dateUpdated": "2024-08-14T15:43:50.463Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1378
Vulnerability from cvelistv5
Published
2022-05-02 18:12
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_pgHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:05.794Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_pgHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:12:12", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1378", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_pgHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1378", "datePublished": "2022-05-02T18:12:12", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:05.794Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26836
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 20:07
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:11:44.483Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:09", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in HandlerExport.ashx/Calendar.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26836", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in HandlerExport.ashx/Calendar.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26836", "datePublished": "2022-03-29T16:37:09.752311Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-16T20:07:34.064Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1376
Vulnerability from cvelistv5
Published
2022-05-02 18:10
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_privgrpHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:05.880Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_privgrpHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:10:38", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1376", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_privgrpHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1376", "datePublished": "2022-05-02T18:10:38", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:05.880Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26059
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 20:11
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetQueryData. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:56:37.587Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetQueryData. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in GetQueryData", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26059", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in GetQueryData" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetQueryData. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26059", "datePublished": "2022-03-29T16:37:01.122081Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-16T20:11:15.501Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1372
Vulnerability from cvelistv5
Published
2022-05-02 18:08
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in dlSlog.aspx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:05.802Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in dlSlog.aspx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:08:06", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1372", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in dlSlog.aspx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1372", "datePublished": "2022-05-02T18:08:06", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:05.802Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-43447
Vulnerability from cvelistv5
Published
2022-11-17 22:45
Modified
2024-08-03 13:32
Severity ?
EPSS score ?
Summary
SQL Injection in
AM_EBillAnalysis.aspx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:32:59.584Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "status": "affected", "version": "All" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-11-10T18:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "SQL Injection in \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAM_EBillAnalysis.aspx\u003c/span\u003e\u003c/span\u003e\u0026nbsp;\u003c/span\u003e\u003c/span\u003ein Delta Electronics DIAEnergie versions prior to\u0026nbsp;v1.9.02.001\u0026nbsp;allows an attacker to inject SQL queries via Network" } ], "value": "SQL Injection in \n\n\n\n\n\n\n\n\n\nAM_EBillAnalysis.aspx\u00a0in Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-26T23:01:53.928Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\n\n\n" } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-43447", "datePublished": "2022-11-17T22:45:54.530101Z", "dateReserved": "2022-10-31T00:00:00", "dateUpdated": "2024-08-03T13:32:59.584Z", "serial": 1, "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-34032
Vulnerability from cvelistv5
Published
2024-05-03 00:16
Modified
2024-08-12 20:08
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02 | government-resource |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 1.10.00.005 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "status": "affected", "version": "0" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-34032", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-06-25T19:09:34.838148Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-12T20:08:42.943Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T02:42:59.827Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "government-resource", "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie ", "vendor": "Delta Electronics", "versions": [ { "status": "affected", "version": "1.10.00.005" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.\u003c/span\u003e\n\n\u003c/span\u003e\n\n" } ], "value": "\nDelta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the GetDIACloudList endpoint. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": " Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) CWE-89", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-03T00:16:40.017Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "government-resource" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta Electronics recommends users update to DIAEnergie v1.10.01.004 to mitigate these vulnerabilities. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta Electronics recommends users update to DIAEnergie v1.10.01.004 to mitigate these vulnerabilities. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents.\n\n" } ], "source": { "discovery": "UNKNOWN" }, "title": "SQL Injection in Delta Electronics DIAEnergie ", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-34032", "datePublished": "2024-05-03T00:16:40.017Z", "dateReserved": "2024-04-29T17:56:18.036Z", "dateUpdated": "2024-08-12T20:08:42.943Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-0923
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 22:35
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerDialog_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T23:47:42.817Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerDialog_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:05", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in HandlerDialog_KID.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-0923", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in HandlerDialog_KID.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerDialog_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-0923", "datePublished": "2022-03-29T16:37:05.764829Z", "dateReserved": "2022-03-10T00:00:00", "dateUpdated": "2024-09-16T22:35:32.092Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41701
Vulnerability from cvelistv5
Published
2022-10-27 20:15
Modified
2024-09-16 20:27
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutShift API.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < v1.9.01.002 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:49:43.575Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.9.01.002", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-10-25T00:00:00", "descriptions": [ { "lang": "en", "value": "The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutShift API." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-27T00:00:00", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "value": "Delta did not publicly release v1.9.01.002. Users are encouraged to contact Delta front-end sales or agents to get this updated version." } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-41701", "datePublished": "2022-10-27T20:15:38.365915Z", "dateReserved": "2022-09-29T00:00:00", "dateUpdated": "2024-09-16T20:27:15.643Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1366
Vulnerability from cvelistv5
Published
2022-05-02 18:01
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:05.836Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:01:09", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1366", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1366", "datePublished": "2022-05-02T18:01:09", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:05.836Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-0988
Vulnerability from cvelistv5
Published
2022-03-25 18:02
Modified
2024-09-16 17:28
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (Version 1.7.5 and prior) is vulnerable to cleartext transmission as the web application runs by default on HTTP. This could allow an attacker to remotely read transmitted information between the client and product.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T23:47:42.706Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "1.7.5", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (Version 1.7.5 and prior) is vulnerable to cleartext transmission as the web application runs by default on HTTP. This could allow an attacker to remotely read transmitted information between the client and product." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-25T18:02:30", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie CLEARTEXT Transmission of Sensitive Information", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T17:29:00.000Z", "ID": "CVE-2022-0988", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie CLEARTEXT Transmission of Sensitive Information" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c=", "version_value": "1.7.5" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (Version 1.7.5 and prior) is vulnerable to cleartext transmission as the web application runs by default on HTTP. This could allow an attacker to remotely read transmitted information between the client and product." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-319 Cleartext Transmission of Sensitive Information" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-0988", "datePublished": "2022-03-25T18:02:30.522039Z", "dateReserved": "2022-03-15T00:00:00", "dateUpdated": "2024-09-16T17:28:48.335Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-44471
Vulnerability from cvelistv5
Published
2021-12-22 18:06
Modified
2024-09-16 23:26
Severity ?
EPSS score ?
Summary
DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “name” of the script “DIAE_HandlerAlarmGroup.ashx”.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T04:25:16.514Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "1.7.5", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "datePublic": "2021-12-16T00:00:00", "descriptions": [ { "lang": "en", "value": "DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter \u201cname\u201d of the script \u201cDIAE_HandlerAlarmGroup.ashx\u201d." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-22T18:06:49", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie (Update A)", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-12-16T20:56:00.000Z", "ID": "CVE-2021-44471", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie (Update A)" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "All", "version_value": "1.7.5" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter \u201cname\u201d of the script \u201cDIAE_HandlerAlarmGroup.ashx\u201d." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-44471", "datePublished": "2021-12-22T18:06:49.880794Z", "dateReserved": "2021-12-14T00:00:00", "dateUpdated": "2024-09-16T23:26:35.646Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-0822
Vulnerability from cvelistv5
Published
2023-02-17 16:46
Modified
2024-08-02 05:24
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.03.001) contains improper authorization, which could allow an unauthorized user to bypass authorization and access privileged functionality.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.9.03.001 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T05:24:34.482Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie ", "vendor": "Delta Electronics ", "versions": [ { "lessThan": "v1.9.03.001", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2023-02-16T18:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe affected product DIAEnergie (versions prior to v1.9.03.001) contains improper authorization, which could allow an unauthorized user to bypass authorization and access privileged functionality. \u003c/span\u003e\n\n" } ], "value": "\nThe affected product DIAEnergie (versions prior to v1.9.03.001) contains improper authorization, which could allow an unauthorized user to bypass authorization and access privileged functionality. \n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-285", "description": "CWE-285 Improper Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-17T16:46:21.643Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta did not publicly release v1.9.01.002, v1.9.02.001, and v1.9.03.001, which address these vulnerabilities. Users are encouraged to contact Delta to receive these updates. \u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta did not publicly release v1.9.01.002, v1.9.02.001, and v1.9.03.001, which address these vulnerabilities. Users are encouraged to contact Delta to receive these updates. \n\n\n" } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Improper Authorization", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2023-0822", "datePublished": "2023-02-17T16:46:21.643Z", "dateReserved": "2023-02-14T01:24:31.882Z", "dateUpdated": "2024-08-02T05:24:34.482Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26349
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 23:01
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_eccoefficientHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:03:32.669Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_eccoefficientHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:08", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in DIAE_eccoefficientHandler.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26349", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in DIAE_eccoefficientHandler.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_eccoefficientHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26349", "datePublished": "2022-03-29T16:37:08.970543Z", "dateReserved": "2022-03-17T00:00:00", "dateUpdated": "2024-09-16T23:01:27.184Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-4549
Vulnerability from cvelistv5
Published
2024-05-06 13:54
Modified
2024-08-01 20:47
Severity ?
EPSS score ?
Summary
A denial of service vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior. When processing an 'ICS Restart!' message, CEBC.exe restarts the system.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThanOrEqual": "1.10.1.8610", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-4549", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-06T15:35:29.745502Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-20T20:08:39.537Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T20:47:41.185Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.tenable.com/security/research/tra-2024-13" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "1.10.1.8610", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "A denial of service vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior. When processing an \u0027ICS Restart!\u0027 message, CEBC.exe restarts the system." } ], "value": "A denial of service vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior. When processing an \u0027ICS Restart!\u0027 message, CEBC.exe restarts the system." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-06T20:47:40.285Z", "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable" }, "references": [ { "url": "https://www.tenable.com/security/research/tra-2024-13" } ], "source": { "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection ", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "assignerShortName": "tenable", "cveId": "CVE-2024-4549", "datePublished": "2024-05-06T13:54:32.808Z", "dateReserved": "2024-05-06T13:35:44.109Z", "dateUpdated": "2024-08-01T20:47:41.185Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26839
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 19:40
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to an incorrect default permission in the DIAEnergie application, which may allow an attacker to plant new files (such as DLLs) or replace existing executable files.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:11:44.493Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to an incorrect default permission in the DIAEnergie application, which may allow an attacker to plant new files (such as DLLs) or replace existing executable files." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:14", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie Incorrect Default Permissions", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26839", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie Incorrect Default Permissions" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to an incorrect default permission in the DIAEnergie application, which may allow an attacker to plant new files (such as DLLs) or replace existing executable files." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-276 Incorrect Default Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26839", "datePublished": "2022-03-29T16:37:14.522692Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-16T19:40:01.461Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1370
Vulnerability from cvelistv5
Published
2022-05-02 18:05
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadREGbyID. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:05.873Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadREGbyID. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:05:34", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1370", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadREGbyID. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1370", "datePublished": "2022-05-02T18:05:34", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:05.873Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-43506
Vulnerability from cvelistv5
Published
2022-11-17 22:45
Modified
2024-08-03 13:32
Severity ?
EPSS score ?
Summary
SQL Injection in
HandlerTag_KID.ashx
in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:32:59.709Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "status": "affected", "version": "All" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-11-10T18:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "SQL Injection in \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHandlerTag_KID.ashx\u003c/span\u003e\n\n\u003c/span\u003e\n\nin Delta Electronics DIAEnergie versions prior to\u0026nbsp;v1.9.02.001\u0026nbsp;allows an attacker to inject SQL queries via Network" } ], "value": "SQL Injection in \n\n\n\nHandlerTag_KID.ashx\n\n\n\nin Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-26T23:11:28.594Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\n\n\n" } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-43506", "datePublished": "2022-11-17T22:45:55.514407Z", "dateReserved": "2022-10-31T00:00:00", "dateUpdated": "2024-08-03T13:32:59.709Z", "serial": 1, "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26666
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 16:42
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerECC.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:11:44.235Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerECC.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-29T16:27:49", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in HandlerDialogECC.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26666", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in HandlerDialogECC.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerECC.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26666", "datePublished": "2022-03-29T16:37:11.423878Z", "dateReserved": "2022-03-17T00:00:00", "dateUpdated": "2024-09-16T16:42:57.573Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-25574
Vulnerability from cvelistv5
Published
2024-04-01 16:04
Modified
2024-08-01 23:44
Severity ?
EPSS score ?
Summary
SQL injection vulnerability exists in GetDIAE_usListParameters.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThan": "1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-25574", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-04-01T17:13:46.607653Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-20T20:09:02.248Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:44:09.659Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\nSQL injection vulnerability exists in GetDIAE_usListParameters.\n\n\u003c/span\u003e\n\n" } ], "value": "\nSQL injection vulnerability exists in GetDIAE_usListParameters.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-04-01T16:04:46.800Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-25574", "datePublished": "2024-04-01T16:04:46.800Z", "dateReserved": "2024-03-12T15:07:02.593Z", "dateUpdated": "2024-08-01T23:44:09.659Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26667
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 22:02
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetDemandAnalysisData. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:11:44.212Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetDemandAnalysisData. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:13", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in GetDemandAnalysisData", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26667", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in GetDemandAnalysisData" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetDemandAnalysisData. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26667", "datePublished": "2022-03-29T16:37:13.735503Z", "dateReserved": "2022-03-17T00:00:00", "dateUpdated": "2024-09-16T22:02:34.333Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-27175
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-17 00:06
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetCalcTagList. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:25:31.017Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetCalcTagList. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:15", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in GetCalcTagList", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-27175", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in GetCalcTagList" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in GetCalcTagList. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-27175", "datePublished": "2022-03-29T16:37:15.390852Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-17T00:06:31.170Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-40967
Vulnerability from cvelistv5
Published
2022-10-27 20:15
Modified
2024-09-16 18:03
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in CheckIoTHubNameExisted. A low-privileged authenticated attacker could exploit this issue to inject arbitrary SQL queries.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < v1.9.01.002 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:28:42.933Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.9.01.002", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-10-25T00:00:00", "descriptions": [ { "lang": "en", "value": "The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in CheckIoTHubNameExisted. A low-privileged authenticated attacker could exploit this issue to inject arbitrary SQL queries." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-27T00:00:00", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "value": "Delta did not publicly release v1.9.01.002. Users are encouraged to contact Delta front-end sales or agents to get this updated version." } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-40967", "datePublished": "2022-10-27T20:15:38.073089Z", "dateReserved": "2022-09-29T00:00:00", "dateUpdated": "2024-09-16T18:03:59.370Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26514
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 16:23
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_tagHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:03:32.974Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_tagHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:12", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in DIAE_tagHandler.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26514", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in DIAE_tagHandler.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in DIAE_tagHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26514", "datePublished": "2022-03-29T16:37:12.212364Z", "dateReserved": "2022-03-17T00:00:00", "dateUpdated": "2024-09-16T16:23:37.176Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41555
Vulnerability from cvelistv5
Published
2022-10-27 20:15
Modified
2024-09-17 00:11
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutLineMessageSetting API.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < v1.9.01.002 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:42:46.250Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.9.01.002", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-10-25T00:00:00", "descriptions": [ { "lang": "en", "value": "The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PutLineMessageSetting API." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-27T00:00:00", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "value": "Delta did not publicly release v1.9.01.002. Users are encouraged to contact Delta front-end sales or agents to get this updated version." } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-41555", "datePublished": "2022-10-27T20:15:37.817278Z", "dateReserved": "2022-09-29T00:00:00", "dateUpdated": "2024-09-17T00:11:45.724Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-23975
Vulnerability from cvelistv5
Published
2024-03-21 22:15
Modified
2024-08-12 20:27
Severity ?
EPSS score ?
Summary
SQL injection vulnerability exists in GetDIAE_slogListParameters.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T23:13:08.814Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThan": "1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-23975", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-03-22T14:45:33.701884Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-12T20:27:50.352Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA" } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSQL injection vulnerability exists in GetDIAE_slogListParameters.\u003c/span\u003e\n\n" } ], "value": "\nSQL injection vulnerability exists in GetDIAE_slogListParameters.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027) ", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-21T22:15:33.833Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-23975", "datePublished": "2024-03-21T22:15:33.833Z", "dateReserved": "2024-03-12T15:07:02.617Z", "dateUpdated": "2024-08-12T20:27:50.352Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-28171
Vulnerability from cvelistv5
Published
2024-03-21 22:19
Modified
2024-08-28 14:18
Severity ?
EPSS score ?
Summary
It is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:48:49.142Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:delta_electronics:diaenergie:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "delta_electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-28171", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-03-22T17:56:00.396002Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-28T14:18:49.656Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIt is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.\u003c/span\u003e\n\n" } ], "value": "\nIt is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-22", "description": "CWE-22: Improper limitation of a pathname to a restricted directory (\u0027Path traversal\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-21T22:19:36.480Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie Path traversal", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-28171", "datePublished": "2024-03-21T22:19:36.480Z", "dateReserved": "2024-03-12T15:07:02.588Z", "dateUpdated": "2024-08-28T14:18:49.656Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-25347
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-17 02:26
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to path traversal attacks, which may allow an attacker to write arbitrary files to locations on the file system.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:36:06.902Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to path traversal attacks, which may allow an attacker to write arbitrary files to locations on the file system." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-37", "description": "CWE-37 Path Traversal", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:04", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie Path Traversal", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-25347", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie Path Traversal" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) is vulnerable to path traversal attacks, which may allow an attacker to write arbitrary files to locations on the file system." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-37 Path Traversal" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-25347", "datePublished": "2022-03-29T16:37:04.204544Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-17T02:26:25.993Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1377
Vulnerability from cvelistv5
Published
2022-05-02 18:11
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_rltHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:06.222Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_rltHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:11:25", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1377", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_rltHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1377", "datePublished": "2022-05-02T18:11:25", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:06.222Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-40965
Vulnerability from cvelistv5
Published
2022-10-27 20:15
Modified
2024-09-16 20:06
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PostEnergyType API.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < v1.9.01.002 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:28:43.031Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.9.01.002", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-10-25T00:00:00", "descriptions": [ { "lang": "en", "value": "The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PostEnergyType API." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-27T00:00:00", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "value": "Delta did not publicly release v1.9.01.002. Users are encouraged to contact Delta front-end sales or agents to get this updated version." } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-40965", "datePublished": "2022-10-27T20:15:37.542059Z", "dateReserved": "2022-09-29T00:00:00", "dateUpdated": "2024-09-16T20:06:21.981Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-28040
Vulnerability from cvelistv5
Published
2024-03-21 22:13
Modified
2024-08-12 20:14
Severity ?
EPSS score ?
Summary
SQL injection vulnerability exists in GetDIAE_astListParameters.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:48:47.823Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThan": "1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-28040", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-03-28T19:11:12.203178Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-12T20:14:25.821Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSQL injection vulnerability exists in GetDIAE_astListParameters.\u003c/span\u003e\n\n" } ], "value": "\nSQL injection vulnerability exists in GetDIAE_astListParameters.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027) ", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-21T22:13:40.119Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-28040", "datePublished": "2024-03-21T22:13:40.119Z", "dateReserved": "2024-03-12T15:07:02.634Z", "dateUpdated": "2024-08-12T20:14:25.821Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41775
Vulnerability from cvelistv5
Published
2022-11-17 22:45
Modified
2024-08-03 12:49
Severity ?
EPSS score ?
Summary
SQL Injection in
Handler_CFG.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:49:43.806Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "status": "affected", "version": "All" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-11-10T18:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "SQL Injection in \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHandler_CFG.ashx\u003c/span\u003e\u0026nbsp;\u003c/span\u003e\u003c/span\u003ein Delta Electronics DIAEnergie versions prior to\u0026nbsp;v1.9.02.001\u0026nbsp;allows an attacker to inject SQL queries via Network" } ], "value": "SQL Injection in \n\n\n\n\n\n\n\nHandler_CFG.ashx\u00a0in Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-26T23:00:39.638Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\n\n\n" } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-41775", "datePublished": "2022-11-17T22:45:55.264436Z", "dateReserved": "2022-10-31T00:00:00", "dateUpdated": "2024-08-03T12:49:43.806Z", "serial": 1, "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-43457
Vulnerability from cvelistv5
Published
2022-11-17 22:45
Modified
2024-10-15 18:34
Severity ?
EPSS score ?
Summary
SQL Injection in
HandlerPage_KID.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:32:58.898Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2022-43457", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-10-15T17:15:59.356108Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-15T18:34:46.178Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "status": "affected", "version": "All" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-11-10T18:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "SQL Injection in \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHandlerPage_KID.ashx\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u0026nbsp;\u003c/span\u003e\u003c/span\u003ein Delta Electronics DIAEnergie versions prior to\u0026nbsp;v1.9.02.001\u0026nbsp;allows an attacker to inject SQL queries via Network" } ], "value": "SQL Injection in \n\n\n\n\n\n\n\n\n\n\n\nHandlerPage_KID.ashx\u00a0in Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-26T23:06:07.637Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\n\n\n" } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-43457", "datePublished": "2022-11-17T22:45:54.782994Z", "dateReserved": "2022-10-31T00:00:00", "dateUpdated": "2024-10-15T18:34:46.178Z", "serial": 1, "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1369
Vulnerability from cvelistv5
Published
2022-05-02 18:03
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegIND. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:05.823Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegIND. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:03:59", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1369", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegIND. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1369", "datePublished": "2022-05-02T18:03:59", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:05.823Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-28891
Vulnerability from cvelistv5
Published
2024-03-21 22:07
Modified
2024-08-12 20:09
Severity ?
EPSS score ?
Summary
SQL injection vulnerability exists in the script Handler_CFG.ashx.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThan": "1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-28891", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-03-22T14:43:20.687504Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-12T20:09:47.869Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T01:03:49.999Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSQL injection vulnerability exists in the script Handler_CFG.ashx.\u003c/span\u003e\n\n" } ], "value": "\nSQL injection vulnerability exists in the script Handler_CFG.ashx.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-21T22:07:18.175Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-28891", "datePublished": "2024-03-21T22:07:18.175Z", "dateReserved": "2024-03-12T15:07:02.644Z", "dateUpdated": "2024-08-12T20:09:47.869Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-31558
Vulnerability from cvelistv5
Published
2021-12-22 18:06
Modified
2024-09-16 18:40
Severity ?
EPSS score ?
Summary
DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter “descr” of the script “DIAE_hierarchyHandler.ashx”.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:03:33.088Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "1.7.5", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "datePublic": "2021-12-16T00:00:00", "descriptions": [ { "lang": "en", "value": "DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter \u201cdescr\u201d of the script \u201cDIAE_hierarchyHandler.ashx\u201d." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-22T18:06:51", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie (Update A)", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-12-16T20:56:00.000Z", "ID": "CVE-2021-31558", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie (Update A)" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "All", "version_value": "1.7.5" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "DIAEnergie Version 1.7.5 and prior is vulnerable to stored cross-site scripting when an unauthenticated user injects arbitrary code into the parameter \u201cdescr\u201d of the script \u201cDIAE_hierarchyHandler.ashx\u201d." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-31558", "datePublished": "2021-12-22T18:06:51.363723Z", "dateReserved": "2021-12-14T00:00:00", "dateUpdated": "2024-09-16T18:40:05.583Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1371
Vulnerability from cvelistv5
Published
2022-05-02 18:06
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegf. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:05.646Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegf. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:06:30", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1371", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in ReadRegf. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1371", "datePublished": "2022-05-02T18:06:30", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:05.646Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-44544
Vulnerability from cvelistv5
Published
2021-12-22 18:06
Modified
2024-09-17 01:41
Severity ?
EPSS score ?
Summary
DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-site scripting vulnerabilities when arbitrary code is injected into the parameter “name” of the script “HandlerEnergyType.ashx”.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T04:25:16.449Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "1.7.5", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "datePublic": "2021-12-16T00:00:00", "descriptions": [ { "lang": "en", "value": "DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-site scripting vulnerabilities when arbitrary code is injected into the parameter \u201cname\u201d of the script \u201cHandlerEnergyType.ashx\u201d." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-22T18:06:50", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie (Update A)", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-12-16T20:56:00.000Z", "ID": "CVE-2021-44544", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie (Update A)" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "All", "version_value": "1.7.5" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "DIAEnergie Version 1.7.5 and prior is vulnerable to multiple cross-site scripting vulnerabilities when arbitrary code is injected into the parameter \u201cname\u201d of the script \u201cHandlerEnergyType.ashx\u201d." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-44544", "datePublished": "2021-12-22T18:06:50.589935Z", "dateReserved": "2021-12-14T00:00:00", "dateUpdated": "2024-09-17T01:41:11.354Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-34031
Vulnerability from cvelistv5
Published
2024-05-03 00:18
Modified
2024-08-12 20:09
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the script Handler_CFG.ashx. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02 | government-resource |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 1.10.00.005 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:1.10.00.005:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "status": "affected", "version": "1.10.00.005" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-34031", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-06-25T19:07:57.188972Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-12T20:09:18.872Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T02:42:59.938Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "government-resource", "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie ", "vendor": "Delta Electronics", "versions": [ { "status": "affected", "version": "1.10.00.005" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the script Handler_CFG.ashx. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.\u003c/span\u003e\n\n" } ], "value": "\nDelta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the script Handler_CFG.ashx. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": " Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) CWE-89", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-03T00:18:13.497Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "government-resource" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta Electronics recommends users update to DIAEnergie v1.10.01.004 to mitigate these vulnerabilities. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta Electronics recommends users update to DIAEnergie v1.10.01.004 to mitigate these vulnerabilities. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents.\n\n" } ], "source": { "discovery": "UNKNOWN" }, "title": " SQL Injection vulnerability in Delta Electronics DIAEnergie ", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-34031", "datePublished": "2024-05-03T00:18:13.497Z", "dateReserved": "2024-04-29T17:56:18.035Z", "dateUpdated": "2024-08-12T20:09:18.872Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-23228
Vulnerability from cvelistv5
Published
2021-12-22 18:06
Modified
2024-09-17 02:36
Severity ?
EPSS score ?
Summary
DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by “.NET Request.QueryString”.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T19:05:55.672Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "1.7.5", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "datePublic": "2021-12-16T00:00:00", "descriptions": [ { "lang": "en", "value": "DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by \u201c.NET Request.QueryString\u201d." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-22T18:06:52", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie (Update A)", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-12-16T20:56:00.000Z", "ID": "CVE-2021-23228", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie (Update A)" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "All", "version_value": "1.7.5" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by \u201c.NET Request.QueryString\u201d." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03", "refsource": "MISC", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-238-03" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has released an updated version of DIAEnergie and recommends users install v1.8.0 and later on all affected systems." } ], "source": { "advisory": "ICSA-21-238-03", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-23228", "datePublished": "2021-12-22T18:06:52.089004Z", "dateReserved": "2021-12-14T00:00:00", "dateUpdated": "2024-09-17T02:36:27.721Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26887
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 16:43
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_loopmapHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:18:37.998Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_loopmapHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-29T16:26:06", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in DIAE_HandlerTag_KID.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26887", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in DIAE_HandlerTag_KID.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_loopmapHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26887", "datePublished": "2022-03-29T16:37:10.562468Z", "dateReserved": "2022-03-17T00:00:00", "dateUpdated": "2024-09-16T16:43:04.850Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41133
Vulnerability from cvelistv5
Published
2022-10-27 20:15
Modified
2024-09-16 16:33
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in GetDIAE_line_message_settingsListParameters. A low-privileged authenticated attacker could exploit this issue to inject arbitrary SQL queries.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < v1.9.01.002 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:35:49.376Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.9.01.002", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-10-25T00:00:00", "descriptions": [ { "lang": "en", "value": "The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in GetDIAE_line_message_settingsListParameters. A low-privileged authenticated attacker could exploit this issue to inject arbitrary SQL queries." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-27T00:00:00", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "value": "Delta did not publicly release v1.9.01.002. Users are encouraged to contact Delta front-end sales or agents to get this updated version." } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-41133", "datePublished": "2022-10-27T20:15:38.873048Z", "dateReserved": "2022-09-29T00:00:00", "dateUpdated": "2024-09-16T16:33:27.218Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26065
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-16 19:24
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:56:37.454Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-29T16:23:23", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in GetLatestDemandNode and GetDemandAnalysisData", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26065", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in GetLatestDemandNode and GetDemandAnalysisData" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in GetLatestDemandNode. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26065", "datePublished": "2022-03-29T16:37:08.222812Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-16T19:24:17.334Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-4547
Vulnerability from cvelistv5
Published
2024-05-06 13:48
Modified
2024-08-01 20:47
Severity ?
EPSS score ?
Summary
A SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateScript' message, which is splitted into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThanOrEqual": "1.10.1.8610", "status": "affected", "version": "-", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-4547", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-05-06T18:33:49.309166Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-20T20:08:45.951Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T20:47:40.554Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.tenable.com/security/research/tra-2024-13" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "1.10.1.8610", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "A SQLi vulnerability exists in\u0026nbsp;Delta Electronics\u0026nbsp;DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a \u0027RecalculateScript\u0027 message, which is splitted into 4 fields using the \u0027~\u0027 character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field" } ], "value": "A SQLi vulnerability exists in\u00a0Delta Electronics\u00a0DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a \u0027RecalculateScript\u0027 message, which is splitted into 4 fields using the \u0027~\u0027 character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field" } ], "impacts": [ { "capecId": "CAPEC-66", "descriptions": [ { "lang": "en", "value": "CAPEC-66 SQL Injection" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-05-06T13:48:08.737Z", "orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable" }, "references": [ { "url": "https://www.tenable.com/security/research/tra-2024-13" } ], "source": { "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie Unauthenticated SQL Injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "assignerShortName": "tenable", "cveId": "CVE-2024-4547", "datePublished": "2024-05-06T13:48:08.737Z", "dateReserved": "2024-05-06T13:35:42.505Z", "dateUpdated": "2024-08-01T20:47:40.554Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26338
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-17 01:36
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerPageP_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:03:32.728Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerPageP_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-29T16:16:11", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in DIAE_hierarchyHandler.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26338", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in DIAE_hierarchyHandler.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerPageP_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26338", "datePublished": "2022-03-29T16:37:12.974178Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-17T01:36:14.948Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41702
Vulnerability from cvelistv5
Published
2022-10-27 20:15
Modified
2024-09-16 23:12
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the InsertReg API.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < v1.9.01.002 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:49:43.734Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.9.01.002", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-10-25T00:00:00", "descriptions": [ { "lang": "en", "value": "The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the InsertReg API." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-27T00:00:00", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "value": "Delta did not publicly release v1.9.01.002. Users are encouraged to contact Delta front-end sales or agents to get this updated version." } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-41702", "datePublished": "2022-10-27T20:15:39.344648Z", "dateReserved": "2022-09-29T00:00:00", "dateUpdated": "2024-09-16T23:12:02.531Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-42417
Vulnerability from cvelistv5
Published
2024-10-03 22:32
Modified
2024-10-04 14:14
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS score ?
Summary
Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script Handler_CFG.ashx. An authenticated attacker may be able to exploit this issue to cause delay in the targeted product.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*" ], "defaultStatus": "unaffected", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThanOrEqual": "1.10.01.008", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-42417", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-10-04T14:12:45.958174Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-04T14:14:32.287Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "v1.10.01.008", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta Electronics DIAEnergie is vulnerable to an SQL injection in the script Handler_CFG.ashx. An authenticated attacker may be able to exploit this issue to cause delay in the targeted product.\u003c/span\u003e\n\n\u003c/span\u003e" } ], "value": "Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script Handler_CFG.ashx. An authenticated attacker may be able to exploit this issue to cause delay in the targeted product." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] }, { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-03T22:32:59.999Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-277-03" }, { "url": "https://www.deltaww.com/en-US/Cybersecurity_Advisory" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eDelta recommends users update to DIAEnergie v1.10.01.009. Users can request this version of DIAEnergie from \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en-US/customerService\"\u003eDelta Electronics\u0027 regional sales or agents.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on this issue, please see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en-US/Cybersecurity_Advisory\"\u003eDelta product cybersecurity advisory.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e" } ], "value": "Delta recommends users update to DIAEnergie v1.10.01.009. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents. https://www.deltaww.com/en-US/customerService \n\nFor more information on this issue, please see the Delta product cybersecurity advisory. https://www.deltaww.com/en-US/Cybersecurity_Advisory" } ], "source": { "advisory": "ICSA-24-277-03", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-42417", "datePublished": "2024-10-03T22:32:59.999Z", "dateReserved": "2024-10-01T17:18:54.590Z", "dateUpdated": "2024-10-04T14:14:32.287Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1374
Vulnerability from cvelistv5
Published
2022-05-02 18:08
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_unHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:06.045Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_unHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:08:51", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1374", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_unHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1374", "datePublished": "2022-05-02T18:08:51", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:06.045Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-43452
Vulnerability from cvelistv5
Published
2022-11-17 22:45
Modified
2024-08-03 13:32
Severity ?
EPSS score ?
Summary
SQL Injection in
FtyInfoSetting.aspx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:32:58.775Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "status": "affected", "version": "All" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-11-10T18:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "SQL Injection in \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFtyInfoSetting.aspx\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u0026nbsp;\u003c/span\u003e\u003c/span\u003ein Delta Electronics DIAEnergie versions prior to\u0026nbsp;v1.9.02.001\u0026nbsp;allows an attacker to inject SQL queries via Network" } ], "value": "SQL Injection in \n\n\n\n\n\n\n\n\n\n\n\n\n\nFtyInfoSetting.aspx\u00a0in Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-26T23:03:09.406Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\n\n\n" } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-43452", "datePublished": "2022-11-17T22:45:55.011451Z", "dateReserved": "2022-10-31T00:00:00", "dateUpdated": "2024-08-03T13:32:58.775Z", "serial": 1, "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-28029
Vulnerability from cvelistv5
Published
2024-03-21 22:04
Modified
2024-10-17 18:45
Severity ?
EPSS score ?
Summary
Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T00:48:47.726Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThan": "1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-28029", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-03-22T14:38:46.183877Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-12T20:26:21.673Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-14T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePrivileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.\u003c/span\u003e" } ], "value": "Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-602", "description": "CWE-602 Client-Side Enforcement of Server-Side Security", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-17T18:45:56.861Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "Delta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService ." } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Client-Side Enforcement of Server-Side Security in Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-28029", "datePublished": "2024-03-21T22:04:57.512Z", "dateReserved": "2024-03-12T15:07:02.648Z", "dateUpdated": "2024-10-17T18:45:56.861Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-25980
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-17 02:56
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerCommon.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:56:36.494Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerCommon.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:03", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in HandlerCommon.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-25980", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in HandlerCommon.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerCommon.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-25980", "datePublished": "2022-03-29T16:37:03.370801Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-17T02:56:47.787Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-26069
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-17 04:25
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerPage_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:56:37.548Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerPage_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-03-29T16:37:05", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in HandlerPage_KID.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26069", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in HandlerPage_KID.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerPage_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26069", "datePublished": "2022-03-29T16:37:05.023631Z", "dateReserved": "2022-03-14T00:00:00", "dateUpdated": "2024-09-17T04:25:20.024Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-1375
Vulnerability from cvelistv5
Published
2022-05-02 18:09
Modified
2024-08-03 00:03
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_slogHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:03:06.042Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_slogHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-05-02T18:09:44", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "workarounds": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2022-1375", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in DIAE_slogHandler.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022." } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Delta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ] } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-1375", "datePublished": "2022-05-02T18:09:44", "dateReserved": "2022-04-14T00:00:00", "dateUpdated": "2024-08-03T00:03:06.042Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-23494
Vulnerability from cvelistv5
Published
2024-03-21 22:16
Modified
2024-08-12 20:08
Severity ?
EPSS score ?
Summary
SQL injection vulnerability exists in GetDIAE_unListParameters.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < v1.10.00.005 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-23494", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-03-25T16:30:51.439451Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-12T20:08:11.574Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:06:25.048Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.10.00.005", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2024-03-15T17:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSQL injection vulnerability exists in GetDIAE_unListParameters.\u003c/span\u003e\n\n" } ], "value": "\nSQL injection vulnerability exists in GetDIAE_unListParameters.\n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89: Improper neutralization of special elements used in an SQL command (\u0027SQL injection\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-21T22:16:52.975Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en/customerService\"\u003eDelta Electronics\u0027 regional sales or agents\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nDelta recommends users update to DIAEnergie v1.10.00.005. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents https://www.deltaww.com/en/customerService .\n\n" } ], "source": { "advisory": "ICSA-24-074-12", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL injection", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-23494", "datePublished": "2024-03-21T22:16:52.975Z", "dateReserved": "2024-03-12T15:07:02.611Z", "dateUpdated": "2024-08-12T20:08:11.574Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41651
Vulnerability from cvelistv5
Published
2022-10-27 20:15
Modified
2024-09-17 00:36
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the SetPF API.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < v1.9.01.002 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:49:43.401Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.9.01.002", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-10-25T00:00:00", "descriptions": [ { "lang": "en", "value": "The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the SetPF API." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-27T00:00:00", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "value": "Delta did not publicly release v1.9.01.002. Users are encouraged to contact Delta front-end sales or agents to get this updated version." } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-41651", "datePublished": "2022-10-27T20:15:39.114154Z", "dateReserved": "2022-09-29T00:00:00", "dateUpdated": "2024-09-17T00:36:16.230Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-25880
Vulnerability from cvelistv5
Published
2022-03-29 16:37
Modified
2024-09-17 00:50
Severity ?
EPSS score ?
Summary
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerTag_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
References
▼ | URL | Tags |
---|---|---|
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: unspecified < 1.8.02.004 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:49:44.150Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "datePublic": "2022-03-22T00:00:00", "descriptions": [ { "lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerTag_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-29T16:35:45", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ], "solutions": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" }, "title": "Delta Electronics DIAEnergie SQL Injection in DIAE_hierarchyHandler.ashx", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-25880", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in DIAE_hierarchyHandler.ashx" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "DIAEnergie", "version": { "version_data": [ { "version_affected": "\u003c", "version_value": "1.8.02.004" } ] } } ] }, "vendor_name": "Delta Electronics" } ] } }, "credit": [ { "lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerTag_KID.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-89 SQL Injection" } ] } ] }, "references": { "reference_data": [ { "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01" } ] }, "solution": [ { "lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices" } ], "source": { "advisory": "ICSA-22-081-01", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-25880", "datePublished": "2022-03-29T16:37:06.548679Z", "dateReserved": "2022-03-17T00:00:00", "dateUpdated": "2024-09-17T00:50:39.263Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-43699
Vulnerability from cvelistv5
Published
2024-10-03 22:28
Modified
2024-10-04 14:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS score ?
Summary
Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: 0 < |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*" ], "defaultStatus": "unaffected", "product": "diaenergie", "vendor": "deltaww", "versions": [ { "lessThanOrEqual": "1.10.01.008", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-43699", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-10-04T14:14:50.609579Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-04T14:15:27.750Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThanOrEqual": "v1.10.01.008", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDelta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product.\u003c/span\u003e" } ], "value": "Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] }, { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-03T22:28:35.364Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-277-03" }, { "url": "https://www.deltaww.com/en-US/Cybersecurity_Advisory" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eDelta recommends users update to DIAEnergie v1.10.01.009. Users can request this version of DIAEnergie from \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en-US/customerService\"\u003eDelta Electronics\u0027 regional sales or agents.\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor more information on this issue, please see the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.deltaww.com/en-US/Cybersecurity_Advisory\"\u003eDelta product cybersecurity advisory.\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e" } ], "value": "Delta recommends users update to DIAEnergie v1.10.01.009. Users can request this version of DIAEnergie from Delta Electronics\u0027 regional sales or agents. https://www.deltaww.com/en-US/customerService \n\nFor more information on this issue, please see the Delta product cybersecurity advisory. https://www.deltaww.com/en-US/Cybersecurity_Advisory" } ], "source": { "advisory": "ICSA-24-277-03", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2024-43699", "datePublished": "2024-10-03T22:28:35.364Z", "dateReserved": "2024-10-01T17:18:54.603Z", "dateUpdated": "2024-10-04T14:15:27.750Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41773
Vulnerability from cvelistv5
Published
2022-10-27 20:15
Modified
2024-09-17 01:06
Severity ?
EPSS score ?
Summary
The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in CheckDIACloud. A low-privileged authenticated attacker could exploit this issue to inject arbitrary SQL queries.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Delta Electronics | DIAEnergie |
Version: All < v1.9.01.002 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:49:43.532Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [ { "lessThan": "v1.9.01.002", "status": "affected", "version": "All", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Michael Heinzl reported these vulnerabilities to CISA." } ], "datePublic": "2022-10-25T00:00:00", "descriptions": [ { "lang": "en", "value": "The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a SQL injection that exists in CheckDIACloud. A low-privileged authenticated attacker could exploit this issue to inject arbitrary SQL queries." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-27T00:00:00", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06" } ], "solutions": [ { "lang": "en", "value": "Delta did not publicly release v1.9.01.002. Users are encouraged to contact Delta front-end sales or agents to get this updated version." } ], "source": { "advisory": "ICSA-22-298-06", "discovery": "EXTERNAL" }, "title": "Delta Electronics DIAEnergie", "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-41773", "datePublished": "2022-10-27T20:15:38.645358Z", "dateReserved": "2022-09-29T00:00:00", "dateUpdated": "2024-09-17T01:06:35.756Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }