Details of VAR-202203-2084

ID

VAR-202203-2084

TITLE

(0Day) Delta Industrial Automation DIAEnergie AM_Handler SQL Injection Information Disclosure Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-424

DESCRIPTION

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Industrial Automation DIAEnergie. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the AM_Handler endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

Trust: 0.7

sources: ZDI: ZDI-22-424

AFFECTED PRODUCTS

vendor:

delta industrial automation

model:

diaenergie

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-22-424

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	ZDI-22-424
value:	HIGH
Trust: 0.7

ZDI:	ZDI-22-424
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-22-424

EXTERNAL IDS

db:	ZDI_CAN	id:	ZDI-CAN-15581	Trust: 0.7
db:	ZDI	id:	ZDI-22-424	Trust: 0.7

sources: ZDI: ZDI-22-424

CREDITS

Dusan Stevanovic from Trend Micro Security Research

Trust: 0.7

sources: ZDI: ZDI-22-424

SOURCES

db:

ZDI

id:

ZDI-22-424

LAST UPDATE DATE

2022-05-17T01:50:46.580000+00:00

SOURCES UPDATE DATE

db:

ZDI

id:

ZDI-22-424

date:

2022-03-30T00:00:00

SOURCES RELEASE DATE

db:

ZDI

id:

ZDI-22-424

date:

2022-03-01T00:00:00