Delta Electronics DIAEnergie

Vulnerability

The affected product DIAEnergie (versions prior to v1.9.01.002) is vulnerable to a stored cross-site scripting vulnerability through the PostEnergyType API [1]. This improper neutralization of input during web page generation (CWE-79) allows an attacker to inject malicious scripts that are stored on the server and later executed in the context of other users' browsers.

Exploitation

An attacker must have low-privileged access to the DIAEnergie application (authentication required) and convince a victim to interact with the crafted content (user interaction required) [1]. The attacker sends a specially crafted request to the PostEnergyType API endpoint, which stores the malicious payload. When a victim views the affected page, the script executes.

Impact

Successful exploitation leads to high confidentiality and integrity impact, as the attacker can steal session cookies, modify data, or perform actions on behalf of the victim [1]. Availability is not affected. The CVSS v3 base score is 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

Mitigation

Delta Electronics has released fixed versions: DIAEnergie v1.9.01.002 and later (including v1.9.02.001 and v1.9.03.001) [1]. Users should update to the latest available version. No workarounds are provided in the advisory.