CVE-2022-43506 - OpenCVE

SQL Injection in HandlerTag_KID.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Deltaww	Diaenergie

Configuration 1 [-]

cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06	Mitigation Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2022-11-17T22:45:55.514407Z

Updated: 2023-10-26T23:11:28.594Z

Reserved: 2022-10-31T00:00:00

Link: CVE-2022-43506

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-11-17T23:15:24.303

Modified: 2023-10-30T17:00:18.507

Link: CVE-2022-43506

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [{"status": "affected", "version": "All"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "datePublic": "2022-11-10T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL Injection in \n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">HandlerTag_KID.ashx</span>\n\n</span>\n\nin Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network"}], "value": "SQL Injection in \n\n\n\nHandlerTag_KID.ashx\n\n\n\nin Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-10-26T23:11:28.594Z"}, "references": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.</span>\n\n<br>"}], "value": "\nDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\n\n\n"}], "source": {"advisory": "ICSA-22-298-06", "discovery": "EXTERNAL"}, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "cveId": "CVE-2022-43506", "serial": 1, "state": "PUBLISHED", "dateUpdated": "2023-10-26T23:11:28.594Z", "dateReserved": "2022-10-31T00:00:00", "datePublished": "2022-11-17T22:45:55.514407Z", "assignerShortName": "icscert"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}