Deltaww: >> Diaenergie >> 1.8.02.004 Security Vulnerabilities
Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-03-21
SQL injection vulnerability exists in GetDIAE_astListParameters.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
Improper neutralization of input within the affected product could lead to cross-site scripting.
CVSS Score
4.6
EPSS Score
0.001
Published
2024-03-21
It is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-03-21
SQL injection vulnerability exists in GetDIAE_unListParameters.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
SQL injection vulnerability exists in GetDIAE_slogListParameters.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
SQL injection vulnerability exists in the script Handler_CFG.ashx.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.
CVSS Score
8.8
EPSS Score
0.0
Published
2024-03-21
SQL injection vulnerability exists in the script DIAE_tagHandler.ashx.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
The affected product DIAEnergie (versions prior to v1.9.03.001) contains improper authorization, which could allow an unauthorized user to bypass authorization and access privileged functionality.
CVSS Score
8.8
EPSS Score
0.0
Published
2023-02-17