Multiple vulnerabilities in Delta Electronics DIALink
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2021-38418 CVE-2021-38428 CVE-2021-38488 CVE-2021-38407 CVE-2021-38403 CVE-2021-38411 CVE-2021-38424 CVE-2021-38422 CVE-2021-38416 CVE-2021-38420 |
| CWE-ID | CWE-319 CWE-79 CWE-1236 CWE-312 CWE-427 CWE-276 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
DIALink Hardware solutions / Firmware |
| Vendor | Delta Electronics, Inc. |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Cleartext transmission of sensitive information
EUVDB-ID: #VU57601
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-38418
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stored cross-site scripting
EUVDB-ID: #VU57602
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38428
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the parameter name of the API schedule. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Stored cross-site scripting
EUVDB-ID: #VU57603
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38488
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the parameter comment of the API events. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Stored cross-site scripting
EUVDB-ID: #VU57605
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38407
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the parameter name of the API devices. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Stored cross-site scripting
EUVDB-ID: #VU57606
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38403
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the parameter supplier of the API maintenance. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Stored cross-site scripting
EUVDB-ID: #VU57607
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38411
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the parameter deviceName of the API modbusWriter-Reader. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper Neutralization of Formula Elements in a CSV File
EUVDB-ID: #VU57608
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38424
CWE-ID:
CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromsie the target system.
THe vulnerability exists due to improper neutralization of formula elements in a CSV File. A remote administrator can inject formulas into the tag data.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cleartext storage of sensitive information
EUVDB-ID: #VU57609
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38422
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the affected product stores sensitive information in cleartext. A local user can gain unauthorized access to sensitive information on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Insecure DLL loading
EUVDB-ID: #VU57610
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38416
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner. A local user can place a specially crafted .dll file and execute arbitrary code on victim's system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Incorrect default permissions
EUVDB-ID: #VU57611
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-38420
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsDIALink: 1.2.4.0
CPE2.3- cpe:2.3:h:delta_electronics:dialink:*:*:*:*:*:*:*:*
- cpe:2.3:h:delta_electronics:dialink:1.2.4.0:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-294-02
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
