Deltaww: >> Diaenergie >> 1.9.03.001 Security Vulnerabilities
Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-03-21
SQL injection vulnerability exists in GetDIAE_astListParameters.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
Improper neutralization of input within the affected product could lead to cross-site scripting.
CVSS Score
4.6
EPSS Score
0.001
Published
2024-03-21
It is possible to perform a path traversal attack and write outside of the intended directory. If a file name is specified that already exists on the file system, then the original file will be overwritten.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-03-21
SQL injection vulnerability exists in GetDIAE_unListParameters.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
SQL injection vulnerability exists in GetDIAE_slogListParameters.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
SQL injection vulnerability exists in the script Handler_CFG.ashx.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.
CVSS Score
8.8
EPSS Score
0.0
Published
2024-03-21
SQL injection vulnerability exists in the script DIAE_tagHandler.ashx.
CVSS Score
8.8
EPSS Score
0.012
Published
2024-03-21
Delta Industrial Automation's DIAEnergy, an industrial energy management system, is vulnerable to CWE-798, Use of Hard-coded Credentials. Versions prior to
1.9.03.009
have this vulnerability. Executable files could be uploaded to certain directories using hard-coded bearer authorization, allowing remote code execution.
CVSS Score
9.8
EPSS Score
0.035
Published
2022-09-16