High
Delta Electronics DIAEnergie could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. A remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system.
Delta Electronics DIAEnergie is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the /DataHandler/Handler_CFG.ashx endpoint using the keyword parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Delta Electronics DIAEnergie is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to carry out unintended actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
Delta Electronics DIAEnergie could allow a locally authenticated attacker to obtain sensitive information, caused by a weak hashing algorithm. An attacker could exploit this vulnerability to retrieve passwords in cleartext and obtain sensitive information.
Delta Electronics DIAEnergie is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the /DataHandler/HandlerEnergyType.ashx endpoint using the egyid parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Delta Electronics DIAEnergie is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the /DataHandler/AM/AM_Handler.ashx endpoint using the type parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Delta Electronics DIAEnergie is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the /DataHandler/HandlerAlarmGroup.ashx endpoint using the agid parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Delta Electronics
Delta Electronics DIAEnergie 1.7.5
Delta Electronics DIAEnergie 1.7.4
Refer to ICS-CERT Advisory for the patch, upgrade, or suggested workaround information