VAR-202206-0167
Vulnerability from variot - Updated: 2024-11-23 21:58Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 was discovered to contain a cross-site scripting (XSS) vulnerability via the Username parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Delta Controls enteliTOUCH is a touch screen building controller from Delta Controls, Canada. The vulnerability stems from the fact that the Username parameter lacks data validation filtering for user-provided data and output. enteliTOUCH - Touchscreen Building Controller. Get instantaccess to the heart of your BAS. The enteliTOUCH has a 7-inch,high-resolution display that serves as an interface to your building.Use it as your primary interface for smaller facilities or as anon-the-spot access point for larger systems. The intuitive,easy-to-navigate interface gives instant access to manage your BAS.Input passed to the POST parameter 'Username' is not properlysanitised before being returned to the user. This can be exploitedto execute arbitrary HTML code in a user's browser session in contextof an affected site.Tested on: DELTA enteliTOUCH
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202206-0167",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "entelitouch",
"scope": "eq",
"trust": 1.0,
"vendor": "deltacontrols",
"version": "3.40.3935"
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 1.0,
"vendor": "deltacontrols",
"version": "3.33.4005"
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 1.0,
"vendor": "deltacontrols",
"version": "3.40.3706"
},
{
"model": "entelitouch",
"scope": null,
"trust": 0.8,
"vendor": "delta controls",
"version": null
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 0.8,
"vendor": "delta controls",
"version": "entelitouch firmware 3.40.3935"
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 0.8,
"vendor": "delta controls",
"version": "entelitouch firmware 3.33.4005"
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 0.8,
"vendor": "delta controls",
"version": "entelitouch firmware 3.40.3706"
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 0.8,
"vendor": "delta controls",
"version": null
},
{
"model": "controls dentelitouch",
"scope": "eq",
"trust": 0.6,
"vendor": "delta",
"version": "3.40.3935"
},
{
"model": "controls dentelitouch",
"scope": "eq",
"trust": 0.6,
"vendor": "delta",
"version": "3.40.3706"
},
{
"model": "controls dentelitouch",
"scope": "eq",
"trust": 0.6,
"vendor": "delta",
"version": "3.33.4005"
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 0.1,
"vendor": "delta controls",
"version": "3.40.3935"
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 0.1,
"vendor": "delta controls",
"version": "3.40.3706"
},
{
"model": "entelitouch",
"scope": "eq",
"trust": 0.1,
"vendor": "delta controls",
"version": "3.33.4005"
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5703"
},
{
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"db": "NVD",
"id": "CVE-2022-29732"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Vulnerability discovered by Gjoko Krstic",
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5703"
}
],
"trust": 0.1
},
"cve": "CVE-2022-29732",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2022-29732",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CNVD-2022-77000",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2022-29732",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2022-29732",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-29732",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2022-29732",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2022-77000",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202206-260",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "ZSL",
"id": "ZSL-2022-5703",
"trust": 0.1,
"value": "(3/5)"
}
]
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5703"
},
{
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-260"
},
{
"db": "NVD",
"id": "CVE-2022-29732"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Delta Controls enteliTOUCH 3.40.3935, 3.40.3706, and 3.33.4005 was discovered to contain a cross-site scripting (XSS) vulnerability via the Username parameter. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Delta Controls enteliTOUCH is a touch screen building controller from Delta Controls, Canada. The vulnerability stems from the fact that the Username parameter lacks data validation filtering for user-provided data and output. enteliTOUCH - Touchscreen Building Controller. Get instantaccess to the heart of your BAS. The enteliTOUCH has a 7-inch,high-resolution display that serves as an interface to your building.Use it as your primary interface for smaller facilities or as anon-the-spot access point for larger systems. The intuitive,easy-to-navigate interface gives instant access to manage your BAS.Input passed to the POST parameter \u0027Username\u0027 is not properlysanitised before being returned to the user. This can be exploitedto execute arbitrary HTML code in a user\u0027s browser session in contextof an affected site.Tested on: DELTA enteliTOUCH",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-29732"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"db": "ZSL",
"id": "ZSL-2022-5703"
},
{
"db": "VULMON",
"id": "CVE-2022-29732"
}
],
"trust": 2.34
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.zeroscience.mk/codes/entelitouch_xss.txt",
"trust": 0.1,
"type": "poc"
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5703"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-29732",
"trust": 4.0
},
{
"db": "ZSL",
"id": "ZSL-2022-5703",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010888",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-77000",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202206-260",
"trust": 0.6
},
{
"db": "CXSECURITY",
"id": "WLB-2022040065",
"trust": 0.1
},
{
"db": "EXPLOIT-DB",
"id": "50879",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "166728",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2022-29732",
"trust": 0.1
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5703"
},
{
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"db": "VULMON",
"id": "CVE-2022-29732"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-260"
},
{
"db": "NVD",
"id": "CVE-2022-29732"
}
]
},
"id": "VAR-202206-0167",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-77000"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-77000"
}
]
},
"last_update_date": "2024-11-23T21:58:20.574000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Patch for Delta Controls enteliTOUCH cross-site scripting vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/346031"
},
{
"title": "Delta Controls enteliTOUCH Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=195738"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-260"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"db": "NVD",
"id": "CVE-2022-29732"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.1,
"url": "https://www.deltacontrols.com/"
},
{
"trust": 2.5,
"url": "https://www.zeroscience.mk/en/vulnerabilities/zsl-2022-5703.php"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-29732"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-29732/"
},
{
"trust": 0.1,
"url": "https://packetstormsecurity.com/files/166728/delta-controls-entelitouch-3.40.3935-cross-site-scripting.html"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/50879"
},
{
"trust": 0.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/224333"
},
{
"trust": 0.1,
"url": "https://cxsecurity.com/issue/wlb-2022040065"
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2022-29732"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "ZSL",
"id": "ZSL-2022-5703"
},
{
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"db": "VULMON",
"id": "CVE-2022-29732"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-260"
},
{
"db": "NVD",
"id": "CVE-2022-29732"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZSL",
"id": "ZSL-2022-5703"
},
{
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"db": "VULMON",
"id": "CVE-2022-29732"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-260"
},
{
"db": "NVD",
"id": "CVE-2022-29732"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-04-14T00:00:00",
"db": "ZSL",
"id": "ZSL-2022-5703"
},
{
"date": "2022-08-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"date": "2022-06-02T00:00:00",
"db": "VULMON",
"id": "CVE-2022-29732"
},
{
"date": "2023-08-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"date": "2022-06-02T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202206-260"
},
{
"date": "2022-06-02T14:15:50.910000",
"db": "NVD",
"id": "CVE-2022-29732"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-29T00:00:00",
"db": "ZSL",
"id": "ZSL-2022-5703"
},
{
"date": "2022-11-15T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"date": "2022-06-02T00:00:00",
"db": "VULMON",
"id": "CVE-2022-29732"
},
{
"date": "2023-08-17T08:34:00",
"db": "JVNDB",
"id": "JVNDB-2022-010888"
},
{
"date": "2022-06-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202206-260"
},
{
"date": "2024-11-21T06:59:37.500000",
"db": "NVD",
"id": "CVE-2022-29732"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202206-260"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Delta Controls enteliTOUCH cross-site scripting vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-77000"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-260"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202206-260"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…