Delta Electronics DIAEnergie

Vulnerability

DIAEnergie versions prior to v1.9.01.002 are vulnerable to stored cross-site scripting (XSS) via the SetPF API [1]. The application does not properly neutralize user input during web page generation (CWE-79), allowing an attacker to inject arbitrary script code that is stored and executed in the context of other users' browsers. Affected builds include all releases before v1.9.01.002.

Exploitation

An attacker needs low-privilege network access to the DIAEnergie web interface and must be able to craft HTTP requests to the SetPF API with malicious script payload [1]. No user interaction is required during the injection step, but the payload only executes when an authenticated victim navigates to a page that renders the stored input, resulting in a stored XSS attack with low complexity.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to the theft of session cookies, modification of page content, or further attacks on the DIAEnergie system. The CVSS v3 score is 8.8, with a vector of (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) [1], indicating high confidentiality and integrity impact with no impact on availability.

Mitigation

Delta Electronics has released DIAEnergie version v1.9.01.002 to address this vulnerability. Users should update to this version or later [1]. CISA recommends reviewing the vendor advisory and applying the patch as soon as possible. No workaround is documented for the stored XSS via SetPF API specifically.