Details of VAR-202111-0247

ID

VAR-202111-0247

CVE

CVE-2021-38428

TITLE

Delta Electronics DIALink Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014625

DESCRIPTION

Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API schedule, which may allow an attacker to remotely execute code. Delta Electronics DIALink Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. DIALink is a device networking platform launched by Delta Electronics, which can effectively manage CNC machine tools and PLC control machines, collect field device data and connect with the upper management platform through a unified interface, and provide visual information to reflect process parameters and equipment work. state. DIALink 1.2.4.0 and earlier versions have a cross-site scripting vulnerability

Trust: 2.25

sources: NVD: CVE-2021-38428 // JVNDB: JVNDB-2021-014625 // CNVD: CNVD-2021-84841 // VULMON: CVE-2021-38428

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-84841

AFFECTED PRODUCTS

vendor:	deltaww	model:	dialink	scope:	lte	version:	1.2.4.0	Trust: 1.0
vendor:	delta	model:	dialink	scope:	eq	version:	-	Trust: 0.8
vendor:	delta	model:	dialink	scope:	lte	version:	1.2.4.0 and earlier	Trust: 0.8
vendor:	delta	model:	electronics dialink	scope:	lte	version:	<=1.2.4.0	Trust: 0.6

sources: CNVD: CNVD-2021-84841 // JVNDB: JVNDB-2021-014625 // NVD: CVE-2021-38428

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-38428
value:	MEDIUM
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38428
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-38428
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2021-84841
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-202110-1553
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2021-38428
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2021-38428
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-84841
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-38428
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
ics-cert@hq.dhs.gov:	CVE-2021-38428
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2021-38428
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-84841 // VULMON: CVE-2021-38428 // JVNDB: JVNDB-2021-014625 // CNNVD: CNNVD-202110-1553 // NVD: CVE-2021-38428 // NVD: CVE-2021-38428

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-014625 // NVD: CVE-2021-38428

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1553

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202110-1553

PATCH

title:

Top Page

url:

https://www.deltaww.com/en-US/index

Trust: 0.8

sources: JVNDB: JVNDB-2021-014625

EXTERNAL IDS

db:	NVD	id:	CVE-2021-38428	Trust: 3.9
db:	ICS CERT	id:	ICSA-21-294-02	Trust: 3.1
db:	JVN	id:	JVNVU94767496	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-014625	Trust: 0.8
db:	CNVD	id:	CNVD-2021-84841	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.3528	Trust: 0.6
db:	CS-HELP	id:	SB2021102209	Trust: 0.6
db:	CNNVD	id:	CNNVD-202110-1553	Trust: 0.6
db:	VULMON	id:	CVE-2021-38428	Trust: 0.1

sources: CNVD: CNVD-2021-84841 // VULMON: CVE-2021-38428 // JVNDB: JVNDB-2021-014625 // CNNVD: CNNVD-202110-1553 // NVD: CVE-2021-38428

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02	Trust: 2.9
url:	https://nvd.nist.gov/vuln/detail/cve-2021-38428	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu94767496/	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-21-294-02	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021102209	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.3528	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2021-84841 // VULMON: CVE-2021-38428 // JVNDB: JVNDB-2021-014625 // CNNVD: CNNVD-202110-1553 // NVD: CVE-2021-38428

CREDITS

Michael Heinzl reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202110-1553

SOURCES

db:	CNVD	id:	CNVD-2021-84841
db:	VULMON	id:	CVE-2021-38428
db:	JVNDB	id:	JVNDB-2021-014625
db:	CNNVD	id:	CNNVD-202110-1553
db:	NVD	id:	CVE-2021-38428

LAST UPDATE DATE

2024-08-14T13:53:47.816000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-84841	date:	2022-01-18T00:00:00
db:	VULMON	id:	CVE-2021-38428	date:	2021-11-05T00:00:00
db:	JVNDB	id:	JVNDB-2021-014625	date:	2022-10-21T06:28:00
db:	CNNVD	id:	CNNVD-202110-1553	date:	2021-11-16T00:00:00
db:	NVD	id:	CVE-2021-38428	date:	2021-11-05T14:05:35.653

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-84841	date:	2021-11-08T00:00:00
db:	VULMON	id:	CVE-2021-38428	date:	2021-11-03T00:00:00
db:	JVNDB	id:	JVNDB-2021-014625	date:	2022-10-21T00:00:00
db:	CNNVD	id:	CNNVD-202110-1553	date:	2021-10-21T00:00:00
db:	NVD	id:	CVE-2021-38428	date:	2021-11-03T20:15:08.883