CVE-2022-29732

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Delta Controls enteliTOUCH firmware versions 3.40.3935, 3.40.3706, and 3.33.4005. The flaw resides in the handling of the Username parameter, which fails to properly sanitize user-supplied input before reflecting or storing it in the application. An attacker can inject arbitrary HTML or JavaScript into a page that other users will later access, such as during login or user management workflows [1].

Exploitation

To exploit this vulnerability, an attacker needs network access to the enteliTOUCH web interface and a valid, low-privileged account on the building automation system. The attacker crafts a malicious payload containing JavaScript or HTML, submits it via the Username parameter (e.g., during user creation or profile update), and the payload is stored server-side. When an administrator or victim views the affected page, the script executes in the context of the victim's browser [1].

Impact

A successful XSS attack allows the attacker to execute arbitrary web scripts or HTML in the context of the authenticated user's session. This can lead to session hijacking, credential theft (phishing for passwords), defacement of the web interface, or further injection attacks that may compromise the building management system's data integrity and user privacy. The attacker's code runs at the privilege level of the victim user [1].

Mitigation

Delta Controls has not yet released a patched firmware version as of the publication date (2022-05-27). System administrators should restrict network access to the enteliTOUCH web interface to only trusted IP addresses, enforce strong authentication, and monitor for anomalous script behavior in user inputs. Until a fix is provided, no user should be allowed to set a username containing special characters or HTML tags [1][2].