Details of VAR-202206-0167

ID

VAR-202206-0167

CVE

CVE-2022-29732

TITLE

Delta Controls enteliTOUCH cross-site scripting vulnerability

Trust: 1.2

sources: CNVD: CNVD-2022-77000 // CNNVD: CNNVD-202206-260

DESCRIPTION

Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 was discovered to contain a cross-site scripting (XSS) vulnerability via the Username parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Delta Controls enteliTOUCH is a touch screen building controller from Delta Controls, Canada. The vulnerability stems from the fact that the Username parameter lacks data validation filtering for user-provided data and output. enteliTOUCH - Touchscreen Building Controller. Get instantaccess to the heart of your BAS. The enteliTOUCH has a 7-inch,high-resolution display that serves as an interface to your building.Use it as your primary interface for smaller facilities or as anon-the-spot access point for larger systems. The intuitive,easy-to-navigate interface gives instant access to manage your BAS.Input passed to the POST parameter 'Username' is not properlysanitised before being returned to the user. This can be exploitedto execute arbitrary HTML code in a user's browser session in contextof an affected site.Tested on: DELTA enteliTOUCH

Trust: 2.34

sources: NVD: CVE-2022-29732 // JVNDB: JVNDB-2022-010888 // CNVD: CNVD-2022-77000 // ZSL: ZSL-2022-5703 // VULMON: CVE-2022-29732

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-77000

AFFECTED PRODUCTS

vendor:	deltacontrols	model:	entelitouch	scope:	eq	version:	3.40.3935	Trust: 1.0
vendor:	deltacontrols	model:	entelitouch	scope:	eq	version:	3.33.4005	Trust: 1.0
vendor:	deltacontrols	model:	entelitouch	scope:	eq	version:	3.40.3706	Trust: 1.0
vendor:	delta controls	model:	entelitouch	scope:	-	version:	-	Trust: 0.8
vendor:	delta controls	model:	entelitouch	scope:	eq	version:	entelitouch firmware 3.40.3935	Trust: 0.8
vendor:	delta controls	model:	entelitouch	scope:	eq	version:	entelitouch firmware 3.33.4005	Trust: 0.8
vendor:	delta controls	model:	entelitouch	scope:	eq	version:	entelitouch firmware 3.40.3706	Trust: 0.8
vendor:	delta controls	model:	entelitouch	scope:	eq	version:	-	Trust: 0.8
vendor:	delta	model:	controls dentelitouch	scope:	eq	version:	3.40.3935	Trust: 0.6
vendor:	delta	model:	controls dentelitouch	scope:	eq	version:	3.40.3706	Trust: 0.6
vendor:	delta	model:	controls dentelitouch	scope:	eq	version:	3.33.4005	Trust: 0.6
vendor:	delta controls	model:	entelitouch	scope:	eq	version:	3.40.3935	Trust: 0.1
vendor:	delta controls	model:	entelitouch	scope:	eq	version:	3.40.3706	Trust: 0.1
vendor:	delta controls	model:	entelitouch	scope:	eq	version:	3.33.4005	Trust: 0.1

sources: ZSL: ZSL-2022-5703 // CNVD: CNVD-2022-77000 // JVNDB: JVNDB-2022-010888 // NVD: CVE-2022-29732

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-29732
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-29732
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-77000
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202206-260
value:	MEDIUM
Trust: 0.6
ZSL:	ZSL-2022-5703
value:	(3/5)
Trust: 0.1

nvd@nist.gov:	CVE-2022-29732
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-77000
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-29732
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2022-29732
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: ZSL: ZSL-2022-5703 // CNVD: CNVD-2022-77000 // JVNDB: JVNDB-2022-010888 // CNNVD: CNNVD-202206-260 // NVD: CVE-2022-29732

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-010888 // NVD: CVE-2022-29732

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-260

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202206-260

EXPLOIT AVAILABILITY

sources: ZSL: ZSL-2022-5703

PATCH

title:	Patch for Delta Controls enteliTOUCH cross-site scripting vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/346031	Trust: 0.6
title:	Delta Controls enteliTOUCH Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=195738	Trust: 0.6

sources: CNVD: CNVD-2022-77000 // CNNVD: CNNVD-202206-260

EXTERNAL IDS

db:	NVD	id:	CVE-2022-29732	Trust: 4.0
db:	ZSL	id:	ZSL-2022-5703	Trust: 2.6
db:	JVNDB	id:	JVNDB-2022-010888	Trust: 0.8
db:	CNVD	id:	CNVD-2022-77000	Trust: 0.6
db:	CNNVD	id:	CNNVD-202206-260	Trust: 0.6
db:	CXSECURITY	id:	WLB-2022040065	Trust: 0.1
db:	EXPLOIT-DB	id:	50879	Trust: 0.1
db:	PACKETSTORM	id:	166728	Trust: 0.1
db:	VULMON	id:	CVE-2022-29732	Trust: 0.1

sources: ZSL: ZSL-2022-5703 // CNVD: CNVD-2022-77000 // VULMON: CVE-2022-29732 // JVNDB: JVNDB-2022-010888 // CNNVD: CNNVD-202206-260 // NVD: CVE-2022-29732

REFERENCES

url:	https://www.deltacontrols.com/	Trust: 3.1
url:	https://www.zeroscience.mk/en/vulnerabilities/zsl-2022-5703.php	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2022-29732	Trust: 0.9
url:	https://cxsecurity.com/cveshow/cve-2022-29732/	Trust: 0.6
url:	https://packetstormsecurity.com/files/166728/delta-controls-entelitouch-3.40.3935-cross-site-scripting.html	Trust: 0.1
url:	https://www.exploit-db.com/exploits/50879	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/224333	Trust: 0.1
url:	https://cxsecurity.com/issue/wlb-2022040065	Trust: 0.1
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2022-29732	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: ZSL: ZSL-2022-5703 // CNVD: CNVD-2022-77000 // VULMON: CVE-2022-29732 // JVNDB: JVNDB-2022-010888 // CNNVD: CNNVD-202206-260 // NVD: CVE-2022-29732

CREDITS

Vulnerability discovered by Gjoko Krstic

Trust: 0.1

sources: ZSL: ZSL-2022-5703

SOURCES

db:	ZSL	id:	ZSL-2022-5703
db:	CNVD	id:	CNVD-2022-77000
db:	VULMON	id:	CVE-2022-29732
db:	JVNDB	id:	JVNDB-2022-010888
db:	CNNVD	id:	CNNVD-202206-260
db:	NVD	id:	CVE-2022-29732

LAST UPDATE DATE

2024-11-23T21:58:20.574000+00:00

SOURCES UPDATE DATE

db:	ZSL	id:	ZSL-2022-5703	date:	2022-05-29T00:00:00
db:	CNVD	id:	CNVD-2022-77000	date:	2022-11-15T00:00:00
db:	VULMON	id:	CVE-2022-29732	date:	2022-06-02T00:00:00
db:	JVNDB	id:	JVNDB-2022-010888	date:	2023-08-17T08:34:00
db:	CNNVD	id:	CNNVD-202206-260	date:	2022-06-13T00:00:00
db:	NVD	id:	CVE-2022-29732	date:	2024-11-21T06:59:37.500

SOURCES RELEASE DATE

db:	ZSL	id:	ZSL-2022-5703	date:	2022-04-14T00:00:00
db:	CNVD	id:	CNVD-2022-77000	date:	2022-08-18T00:00:00
db:	VULMON	id:	CVE-2022-29732	date:	2022-06-02T00:00:00
db:	JVNDB	id:	JVNDB-2022-010888	date:	2023-08-17T00:00:00
db:	CNNVD	id:	CNNVD-202206-260	date:	2022-06-02T00:00:00
db:	NVD	id:	CVE-2022-29732	date:	2022-06-02T14:15:50.910