Sign-up

ID

VAR-202111-0246


CVE

CVE-2021-38488


TITLE

Delta Electronics DIALink  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014626

DESCRIPTION

Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter comment of the API events, which may allow an attacker to remotely execute code. Delta Electronics DIALink Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. DIALink is a device networking platform launched by Delta Electronics, which can effectively manage CNC machine tools and PLC control machines, collect field device data and connect with the upper management platform through a unified interface, and provide visual information to reflect process parameters and equipment work. state. DIALink 1.2.4.0 and earlier versions have a cross-site scripting vulnerability

Trust: 2.16

sources: NVD: CVE-2021-38488 // JVNDB: JVNDB-2021-014626 // CNVD: CNVD-2021-84840

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-84840

AFFECTED PRODUCTS

vendor:deltawwmodel:dialinkscope:lteversion:1.2.4.0

Trust: 1.0

vendor:deltamodel:dialinkscope:eqversion: -

Trust: 0.8

vendor:deltamodel:dialinkscope:lteversion:1.2.4.0 and earlier

Trust: 0.8

vendor:deltamodel:electronics dialinkscope:lteversion:<=1.2.4.0

Trust: 0.6

sources: CNVD: CNVD-2021-84840 // JVNDB: JVNDB-2021-014626 // NVD: CVE-2021-38488

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-38488
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2021-38488
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-38488
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2021-84840
value: LOW

Trust: 0.6

CNNVD: CNNVD-202110-1550
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2021-38488
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-84840
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-38488
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2021-38488
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-38488
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-84840 // JVNDB: JVNDB-2021-014626 // CNNVD: CNNVD-202110-1550 // NVD: CVE-2021-38488 // NVD: CVE-2021-38488

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-014626 // NVD: CVE-2021-38488

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1550

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202110-1550

PATCH

title:Top Pageurl:https://www.deltaww.com/en-US/index

Trust: 0.8

sources: JVNDB: JVNDB-2021-014626

EXTERNAL IDS

db:NVDid:CVE-2021-38488

Trust: 3.8

db:ICS CERTid:ICSA-21-294-02

Trust: 3.0

db:JVNid:JVNVU94767496

Trust: 0.8

db:JVNDBid:JVNDB-2021-014626

Trust: 0.8

db:CNVDid:CNVD-2021-84840

Trust: 0.6

db:AUSCERTid:ESB-2021.3528

Trust: 0.6

db:CS-HELPid:SB2021102209

Trust: 0.6

db:CNNVDid:CNNVD-202110-1550

Trust: 0.6

sources: CNVD: CNVD-2021-84840 // JVNDB: JVNDB-2021-014626 // CNNVD: CNNVD-202110-1550 // NVD: CVE-2021-38488

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02

Trust: 2.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-38488

Trust: 1.4

url:https://jvn.jp/vu/jvnvu94767496/

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-21-294-02

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021102209

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3528

Trust: 0.6

sources: CNVD: CNVD-2021-84840 // JVNDB: JVNDB-2021-014626 // CNNVD: CNNVD-202110-1550 // NVD: CVE-2021-38488

CREDITS

Michael Heinzl reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202110-1550

SOURCES

db:CNVDid:CNVD-2021-84840
db:JVNDBid:JVNDB-2021-014626
db:CNNVDid:CNNVD-202110-1550
db:NVDid:CVE-2021-38488

LAST UPDATE DATE

2024-08-14T13:53:47.756000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-84840date:2022-01-18T00:00:00
db:JVNDBid:JVNDB-2021-014626date:2022-10-21T06:28:00
db:CNNVDid:CNNVD-202110-1550date:2021-11-16T00:00:00
db:NVDid:CVE-2021-38488date:2021-11-05T14:06:05.740

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-84840date:2021-11-08T00:00:00
db:JVNDBid:JVNDB-2021-014626date:2022-10-21T00:00:00
db:CNNVDid:CNNVD-202110-1550date:2021-10-21T00:00:00
db:NVDid:CVE-2021-38488date:2021-11-03T20:15:08.937