Sign-up

ID

VAR-202111-0277


CVE

CVE-2021-38407


TITLE

Delta Electronics DIALink  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-014635

DESCRIPTION

Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API devices, which may allow an attacker to remotely execute code. Delta Electronics DIALink Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. DIALink is a device networking platform launched by Delta Electronics, which can effectively manage CNC machine tools and PLC control machines, collect field device data and connect with the upper management platform through a unified interface, and provide visual information to reflect process parameters and equipment work. state. DIALink 1.2.4.0 and earlier versions have a cross-site scripting vulnerability

Trust: 2.16

sources: NVD: CVE-2021-38407 // JVNDB: JVNDB-2021-014635 // CNVD: CNVD-2021-84838

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2021-84838

AFFECTED PRODUCTS

vendor:deltawwmodel:dialinkscope:lteversion:1.2.4.0

Trust: 1.0

vendor:deltamodel:dialinkscope:eqversion: -

Trust: 0.8

vendor:deltamodel:dialinkscope:lteversion:1.2.4.0 and earlier

Trust: 0.8

vendor:deltamodel:electronics dialinkscope:lteversion:<=1.2.4.0

Trust: 0.6

sources: CNVD: CNVD-2021-84838 // JVNDB: JVNDB-2021-014635 // NVD: CVE-2021-38407

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-38407
value: MEDIUM

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2021-38407
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-38407
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2021-84838
value: LOW

Trust: 0.6

CNNVD: CNNVD-202110-1546
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2021-38407
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2021-84838
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-38407
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.1

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2021-38407
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-38407
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2021-84838 // JVNDB: JVNDB-2021-014635 // CNNVD: CNNVD-202110-1546 // NVD: CVE-2021-38407 // NVD: CVE-2021-38407

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-014635 // NVD: CVE-2021-38407

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202110-1546

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202110-1546

PATCH

title:Top Pageurl:https://www.deltaww.com/en-US/index

Trust: 0.8

sources: JVNDB: JVNDB-2021-014635

EXTERNAL IDS

db:NVDid:CVE-2021-38407

Trust: 3.8

db:ICS CERTid:ICSA-21-294-02

Trust: 3.0

db:JVNid:JVNVU94767496

Trust: 0.8

db:JVNDBid:JVNDB-2021-014635

Trust: 0.8

db:CNVDid:CNVD-2021-84838

Trust: 0.6

db:AUSCERTid:ESB-2021.3528

Trust: 0.6

db:CS-HELPid:SB2021102209

Trust: 0.6

db:CNNVDid:CNNVD-202110-1546

Trust: 0.6

sources: CNVD: CNVD-2021-84838 // JVNDB: JVNDB-2021-014635 // CNNVD: CNNVD-202110-1546 // NVD: CVE-2021-38407

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02

Trust: 2.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-38407

Trust: 1.4

url:https://jvn.jp/vu/jvnvu94767496/

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-21-294-02

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021102209

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.3528

Trust: 0.6

sources: CNVD: CNVD-2021-84838 // JVNDB: JVNDB-2021-014635 // CNNVD: CNNVD-202110-1546 // NVD: CVE-2021-38407

CREDITS

Michael Heinzl reported these vulnerabilities to CISA.

Trust: 0.6

sources: CNNVD: CNNVD-202110-1546

SOURCES

db:CNVDid:CNVD-2021-84838
db:JVNDBid:JVNDB-2021-014635
db:CNNVDid:CNNVD-202110-1546
db:NVDid:CVE-2021-38407

LAST UPDATE DATE

2024-08-14T13:53:47.672000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2021-84838date:2022-01-18T00:00:00
db:JVNDBid:JVNDB-2021-014635date:2022-10-21T07:58:00
db:CNNVDid:CNNVD-202110-1546date:2021-11-16T00:00:00
db:NVDid:CVE-2021-38407date:2021-11-05T13:43:35.517

SOURCES RELEASE DATE

db:CNVDid:CNVD-2021-84838date:2021-11-08T00:00:00
db:JVNDBid:JVNDB-2021-014635date:2022-10-21T00:00:00
db:CNNVDid:CNNVD-202110-1546date:2021-10-21T00:00:00
db:NVDid:CVE-2021-38407date:2021-11-03T20:15:08.480