CVE-2022-43506 - Vulnerability Details - OpenCVE

Description

SQL Injection in

HandlerTag_KID.ashx

in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network

Published: 2022-11-17

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Delta Electronics

DIAEnergie

unaffected

Version	Status	Constraints
`All`	affected	—

Configuration 1 [-]

cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-46504	SQL Injection in HandlerTag_KID.ashx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00202.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06

History

Wed, 16 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Deltaww Diaenergie

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-11-17T22:45:55.514Z

Updated: 2025-04-16T17:42:35.524Z

Reserved: 2022-10-31T00:00:00.000Z

Link: CVE-2022-43506

Vulnrichment

Updated: 2024-08-03T13:32:59.709Z

NVD

Status : Modified

Published: 2022-11-17T23:15:24.303

Modified: 2024-11-21T07:26:39.497

Link: CVE-2022-43506

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [{"status": "affected", "version": "All"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "datePublic": "2022-11-10T18:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL Injection in \n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">HandlerTag_KID.ashx</span>\n\n</span>\n\nin Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network"}], "value": "SQL Injection in \n\n\n\nHandlerTag_KID.ashx\n\n\n\nin Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-10-26T23:11:28.594Z"}, "references": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.</span>\n\n<br>"}], "value": "\nDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\n\n\n"}], "source": {"advisory": "ICSA-22-298-06", "discovery": "EXTERNAL"}, "title": "Delta Electronics DIAEnergie SQL Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:59.709Z"}, "title": "CVE Program Container", "references": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T17:25:54.605276Z", "id": "CVE-2022-43506", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T17:42:35.524Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "cveId": "CVE-2022-43506", "serial": 1, "state": "PUBLISHED", "dateUpdated": "2025-04-16T17:42:35.524Z", "dateReserved": "2022-10-31T00:00:00.000Z", "datePublished": "2022-11-17T22:45:55.514Z", "assignerShortName": "icscert"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T13:32:59.709Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-43506", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T17:25:54.605276Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T17:25:56.012Z"}}], "cna": {"title": "Delta Electronics DIAEnergie SQL Injection", "source": {"advisory": "ICSA-22-298-06", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Michael Heinzl reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Delta Electronics", "product": "DIAEnergie", "versions": [{"status": "affected", "version": "All"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nDelta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Delta did not publicly release v1.9.01.002 or v1.9.02.001, which addresses these vulnerabilities. Users are encouraged to contact Delta to receive these updates.</span>\n\n<br>", "base64": false}]}], "datePublic": "2022-11-10T18:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "SQL Injection in \n\n\n\nHandlerTag_KID.ashx\n\n\n\nin Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network", "supportingMedia": [{"type": "text/html", "value": "SQL Injection in \n\n<span style=\"background-color: rgb(255, 255, 255);\">\n\n<span style=\"background-color: rgb(255, 255, 255);\">HandlerTag_KID.ashx</span>\n\n</span>\n\nin Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-10-26T23:11:28.594Z"}}}, "cveMetadata": {"cveId": "CVE-2022-43506", "state": "PUBLISHED", "serial": 1, "dateUpdated": "2025-04-16T17:42:35.524Z", "dateReserved": "2022-10-31T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-11-17T22:45:55.514Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BB46AFC-A927-4749-99C8-DC75B691BF89", "versionEndExcluding": "1.9.02.001", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SQL Injection in \n\n\n\nHandlerTag_KID.ashx\n\n\n\nin Delta Electronics DIAEnergie versions prior to\u00a0v1.9.02.001\u00a0allows an attacker to inject SQL queries via Network"}, {"lang": "es", "value": "La inyecci\u00f3n SQL en HandlerTag_KID.ashx en versiones de Delta Electronics DIAEnergie anteriores a v1.9.02.001 permite a un atacante inyectar consultas SQL a trav\u00e9s de la red"}], "id": "CVE-2022-43506", "lastModified": "2024-11-21T07:26:39.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-17T23:15:24.303", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-06"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}