← Advisories

Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)

Medium
Advisory ID
ZSL-2022-5703
Release Date
14 April 2022
Vendor
Delta Controls Inc. - https://www.deltacontrols.com
Affected Version
3.40.3935, 3.40.3706, 3.33.4005
CVE
CVE-2022-29732
Tested On
DELTA enteliTOUCH
Summary

enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS.

Description

Input passed to the POST parameter 'Username' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.

Proof of Concept
entelitouch_xss.htmlTXT
Disclosure Timeline
06.04.2022Vulnerability discovered.
06.04.2022Vendor contacted.
13.04.2022No response from the vendor.
14.04.2022Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://packetstormsecurity.com/files/166728/Delta-Controls-enteliTOUCH-3.40.3935-Cross-Site-Scripting.html
[2]https://www.exploit-db.com/exploits/50879
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/224333
[4]https://cxsecurity.com/issue/WLB-2022040065
[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29732
[6]https://nvd.nist.gov/vuln/detail/CVE-2022-29732
Changelog
14.04.2022Initial release
20.04.2022Added reference [1], [2], [3] and [4]
29.05.2022Added reference [5] and [6]