communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions. Delta Electronics DIAEnergie versions 1.9.02.001 and later have fixed this issue. Injection is only possible via the AM_EBillAnalysis.aspx page and the AM_EBillAnalysis.jsp page. These pages are accessible only via the HTTP protocol. Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions. Delta Electronics DIAEnergie versions 1.9.02.001 and later have fixed this issue. Injection is only possible via the AM_EBillAnalysis.aspx page and the AM_EBillAnalysis.jsp page. These pages are accessible only via the HTTP protocol. CVEs - CVE-2018-5639, CVE-2018-5391, CVE-2018-5392, CVE-2018-5393, CVE-2018-5394, CVE-2018
Chain of Trust
Security vulnerabilities are a common occurrence in the world of web-based software. In this case, Delta Electronics DIAEnergie versions 1.9.02.001 and later have fixed this issue. Injection is only possible via the AM_EBillAnalysis.aspx page and the AM_EBillAnalysis.jsp page. These pages are accessible only via the HTTP protocol. Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions.
Summary
Delta Electronics DIAEnergie versions 1.9.02.001 and later have fixed a vulnerability which allows an attacker to inject SQL queries via Network communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions. Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network communication due to the lack of SSL verification. An attacker must have access to the network or remote administration tool in order to inject SQL queries into the application. An attacker can leverage injection to create new orders, delete orders, view order details, change order status, or affect other functions. CVEs - CVE-2018-5639, CVE-2018-5391, CVE-2018-5392, CVE-2018-5393, CVE-2018-5394
Timeline
Published on: 11/17/2022 23:15:00 UTC
Last modified on: 11/18/2022 18:50:00 UTC