Headline
CVE-2022-33005: GitHub - ZhuoNiBa/Delta-DIAEnergie-XSS: Delta Electronics DIAEnergie 1.08.00 Exists XSS Vulnerability
A cross-site scripting (XSS) vulnerability in the System Settings/IOT Settings module of Delta Electronics DIAEnergie v1.08.00 allows attackers to execute arbitrary web scripts via a crafted payload injected into the Name text field.
Delta-DIAEnergie-XSS****Delta Electronics DIAEnergie 1.08.00 Exists XSS Vulnerability****Vulnerability Introduction
DIAEnergie in the “System Settings"–"IoT Hub Settings” menu bar, when creating a new “shift setting” (url is “/api/DiaSettings/PutIoTHubSetting”), perform xss test on the “name” field, directly When the page is tested, the system will prompt “A potentially dangerous Request.Form value detected from the client (name="123<script>alert(123)</script>”)", but in fact the xss script has Submitted successfully.
download link:https://downloadcenter.delta-china.com.cn/downloadCenterCounter.aspx?DID=39971&DocPath=1&hl=zh-CN
Vulnerability verification process
- In the menu “System Settings” - "IoT Hub Settings", submit “<script>alert(123)</script>” in the name field when creating a new “Shift Settings”
2.success