Delta Electronics DIAEnergie

Vulnerability

The stored cross-site scripting (XSS) vulnerability exists in Delta Electronics DIAEnergie versions prior to v1.9.01.002 [1]. The flaw is located in the PutShift API endpoint, which fails to properly neutralize user-supplied input during web page generation (CWE-79). An attacker with low-privileged access can inject malicious script payloads that are stored and later executed in the context of other users' sessions.

Exploitation

Exploitation requires network access to the DIAEnergie web interface and a valid low-privileged user account (CVSS PR:L). The attacker sends a crafted POST request to the PutShift API with a malicious payload in one of the input fields. When an administrator or other user views the shift data in the web application, the injected script executes in their browser. No additional user interaction beyond viewing the page is required.

Impact

Successful exploit leads to arbitrary script execution in the session of any user accessing the affected page. The attacker can then steal session cookies, perform actions on behalf of the victim, or deface the page. The CVSS scope is changed (S:C), indicating the compromise extends beyond the vulnerable component, and impact to confidentiality and integrity is high [1].

Mitigation

Delta Electronics released DIAEnergie version v1.9.01.002 which includes a fix for this vulnerability [1]. Users should update to v1.9.01.002 or later (note: subsequent versions v1.9.02.001 and v1.9.03.001 also contain the fix). No workaround is documented in the advisory. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.