CVE-2022-43447 Delta Electronics DIAEnergie allows SQL Injection via Network.

CVE-2022-43447 Delta Electronics DIAEnergie allows SQL Injection via Network.

communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions. Delta Electronics DIAEnergie versions 1.9.02.001 and later have fixed this issue. Injection is only possible via the AM_EBillAnalysis.aspx page and the AM_EBillAnalysis.jsp page. These pages are accessible only via the HTTP protocol. Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions. Delta Electronics DIAEnergie versions 1.9.02.001 and later have fixed this issue. Injection is only possible via the AM_EBillAnalysis.aspx page and the AM_EBillAnalysis.jsp page. These pages are accessible only via the HTTP protocol. CVEs - CVE-2018-5639, CVE-2018-5391, CVE-2018-5392, CVE-2018-5393, CVE-2018-5394, CVE-2018

Chain of Trust

Security vulnerabilities are a common occurrence in the world of web-based software. In this case, Delta Electronics DIAEnergie versions 1.9.02.001 and later have fixed this issue. Injection is only possible via the AM_EBillAnalysis.aspx page and the AM_EBillAnalysis.jsp page. These pages are accessible only via the HTTP protocol. Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions.

Summary

Delta Electronics DIAEnergie versions 1.9.02.001 and later have fixed a vulnerability which allows an attacker to inject SQL queries via Network communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions. Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions. CVEs - CVE-2018-5639, CVE-2018-5391, CVE-2018-5392, CVE-2018-5393, CVE-2018-5394

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe