SB2024031522 - Multiple vulnerabilities in Delta Electronics DIAEnergie

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024031522

SB2024031522 - Multiple vulnerabilities in Delta Electronics DIAEnergie

Published: March 15, 2024

Security Bulletin ID SB2024031522
Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 90% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Improper Authorization (CVE-ID: CVE-2024-28029)

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authorization. A remote user can bypass authorization and access privileged functionality.


2) SQL injection (CVE-ID: CVE-2024-28891)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the script Handler_CFG.ashx. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


3) SQL injection (CVE-ID: CVE-2024-25937)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the script DIAE_tagHandler.ashx. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


4) SQL injection (CVE-ID: CVE-2024-28040)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in GetDIAE_astListParameters. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


5) SQL injection (CVE-ID: CVE-2024-23975)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in GetDIAE_slogListParameters. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


6) SQL injection (CVE-ID: CVE-2024-23494)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in GetDIAE_unListParameters. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


7) SQL injection (CVE-ID: CVE-2024-25574)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in GetDIAE_usListParameters. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


8) Path traversal (CVE-ID: CVE-2024-28171)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and overwrite arbitrary files on the system.


9) Path traversal (CVE-ID: CVE-2024-25567)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and overwrite arbitrary files on the system.


10) Cross-site scripting (CVE-ID: CVE-2024-28045)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References