CVE-2022-26836 - Vulnerability Details - OpenCVE

Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Deltaww	Diaenergie

Configuration 1 [-]

cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01

History

Wed, 16 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-03-29T16:37:09.752Z

Updated: 2025-04-16T16:36:05.108Z

Reserved: 2022-03-14T00:00:00.000Z

Link: CVE-2022-26836

Vulnrichment

Updated: 2024-08-03T05:11:44.483Z

NVD

Status : Modified

Published: 2022-03-29T17:15:16.153

Modified: 2024-11-21T06:54:36.863

Link: CVE-2022-26836

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "DIAEnergie", "vendor": "Delta Electronics", "versions": [{"lessThan": "1.8.02.004", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."}], "datePublic": "2022-03-22T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-29T16:37:09.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}], "solutions": [{"lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices"}], "source": {"advisory": "ICSA-22-081-01", "discovery": "UNKNOWN"}, "title": "Delta Electronics DIAEnergie SQL Injection in HandlerExport.ashx/Calendar.ashx", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z", "ID": "CVE-2022-26836", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in HandlerExport.ashx/Calendar.ashx"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DIAEnergie", "version": {"version_data": [{"version_affected": "<", "version_value": "1.8.02.004"}]}}]}, "vendor_name": "Delta Electronics"}]}}, "credit": [{"lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}]}, "solution": [{"lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices"}], "source": {"advisory": "ICSA-22-081-01", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:11:44.483Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T15:57:04.420232Z", "id": "CVE-2022-26836", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T16:36:05.108Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2022-26836", "datePublished": "2022-03-29T16:37:09.752Z", "dateReserved": "2022-03-14T00:00:00.000Z", "dateUpdated": "2025-04-16T16:36:05.108Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:11:44.483Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-26836", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T15:57:04.420232Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T15:57:07.248Z"}}], "cna": {"title": "Delta Electronics DIAEnergie SQL Injection in HandlerExport.ashx/Calendar.ashx", "source": {"advisory": "ICSA-22-081-01", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Delta Electronics", "product": "DIAEnergie", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "1.8.02.004", "versionType": "custom"}]}], "solutions": [{"lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices"}], "datePublic": "2022-03-22T00:00:00.000Z", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-03-29T16:37:09.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Michael Heinzl and Dusan Stevanovic of Trend Micro\u2019s Zero Day Initiative reported these vulnerabilities to CISA."}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "ICSA-22-081-01", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "1.8.02.004", "version_affected": "<"}]}, "product_name": "DIAEnergie"}]}, "vendor_name": "Delta Electronics"}]}}, "solution": [{"lang": "en", "value": "Delta Electronics has fixed the reported vulnerabilities in Version 1.08.02.004. Users should contact Delta customer service or a Delta representative for this release, as it will not be released publicly. Delta is working on a public release that will include these fixes and other features on June 30, 2022.\n\nDelta also suggests users:\n\nMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.\nLocate control system networks and remote devices behind firewalls and isolate them from the business network.\nUse an application firewall that can detect attacks against \u201cPath Traversal\u201d and \u201cSQL Injection\u201d weakness.\nNever connect programming software to any network other than the network intended for that device.\nWhen remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing a VPN is only as secure as its connected devices"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-26836", "STATE": "PUBLIC", "TITLE": "Delta Electronics DIAEnergie SQL Injection in HandlerExport.ashx/Calendar.ashx", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2022-03-22T18:52:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-26836", "state": "PUBLISHED", "dateUpdated": "2025-04-16T16:36:05.108Z", "dateReserved": "2022-03-14T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-03-29T16:37:09.752Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:diaenergie:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFE259F4-C6EC-41EE-B1E1-693C9248931F", "versionEndExcluding": "1.8.02.004", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability that exists in HandlerExport.ashx/Calendar. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands."}, {"lang": "es", "value": "Delta Electronics DIAEnergie (Todas las versiones anteriores a la 1.8.02.004) presenta una vulnerabilidad de inyecci\u00f3n SQL ciega que se presenta en el archivo HandlerExport.ashx/Calendar. Esto permite a un atacante inyectar consultas SQL arbitrarias, recuperar y modificar el contenido de la base de datos y ejecutar comandos del sistema"}], "id": "CVE-2022-26836", "lastModified": "2024-11-21T06:54:36.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-29T17:15:16.153", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-081-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}