RSS   Vulnerabilities for 'Diaenergie'   RSS

2021-08-30
 
CVE-2021-32955

CWE-434
 

 
Delta Electronics DIAEnergie Version 1.7.5 and prior allows unrestricted file uploads, which may allow an attacker to remotely execute code.

 
 
CVE-2021-32967

CWE-287
 

 
Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to add a new administrative user without being authenticated or authorized, which may allow the attacker to log in and use the device with administrative privileges.

 
 
CVE-2021-32983

CWE-89
 

 
A Blind SQL injection vulnerability exists in the /DataHandler/Handler_CFG.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter keyword before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.

 
 
CVE-2021-32991

CWE-352
 

 
Delta Electronics DIAEnergie Version 1.7.5 and prior is vulnerable to cross-site request forgery, which may allow an attacker to cause a user to carry out an action unintentionally.

 
 
CVE-2021-33003

CWE-327
 

 
Delta Electronics DIAEnergie Version 1.7.5 and prior may allow an attacker to retrieve passwords in cleartext due to a weak hashing algorithm.

 
 
CVE-2021-38390

CWE-89
 

 
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerEnergyType.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter egyid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.

 
 
CVE-2021-38391

CWE-89
 

 
A Blind SQL injection vulnerability exists in the /DataHandler/AM/AM_Handler.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter type before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.

 
 
CVE-2021-38393

CWE-89
 

 
A Blind SQL injection vulnerability exists in the /DataHandler/HandlerAlarmGroup.ashx endpoint of Delta Electronics DIAEnergie Version 1.7.5 and prior. The application does not properly validate the user-controlled value supplied through the parameter agid before using it as part of an SQL query. A remote, unauthenticated attacker can exploit this issue to execute arbitrary code in the context of NT SERVICE\MSSQLSERVER.

 

 >>> Vendor: Deltaww 16 Products
Delta industrial automation screen editor
Delta industrial automation dopsoft
Wplsoft
Commgr
Cncsoft
Screeneditor
Ispsoft
Delta industrial automation pmsoft
Tpeditor
Cncsoft screeneditor
Devicenet builder
Cnssoft screeneditor
Dcisoft
Cncsoft-b
Dopsoft
Diaenergie


Copyright 2021, cxsecurity.com

 

Back to Top