Delta Electronics DIAEnergie

Vulnerability

Delta Electronics DIAEnergie, an industrial energy management system, versions prior to v1.9.01.002 contain a stored cross-site scripting (XSS) vulnerability in the PutLineMessageSetting API. The application does not properly neutralize user input when generating web pages, enabling an attacker to inject malicious scripts that are stored and later executed in the context of other users accessing the affected page [1].

Exploitation

An attacker must be an authenticated user with low privileges to reach the vulnerable API endpoint. The attack is conducted remotely over the network with low complexity. The attacker sends a crafted payload via the PutLineMessageSetting API; when a targeted user (e.g., an administrator) views the affected interface, the stored script executes in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the victim's browser within the security context of the DIAEnergie web application. This can lead to theft of session cookies, manipulation of web content, and potential further compromise of the application and its data. The CVSS vector for related stored XSS vulnerabilities in the same product indicates high impact to confidentiality and integrity, but no direct impact to availability [1].

Mitigation

Delta Electronics has released DIAEnergie version 1.9.01.002 and later to address this vulnerability. Users should update to the latest version (1.9.03.001 or higher) as recommended in CISA advisory ICSA-22-298-06. No effective workaround short of applying the patch has been published [1].