CVE-2022-1366
published 2022-05-02CVE-2022-1366: Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
19.36%
97.0th percentile
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| delta_electronics | diaenergie | >= unspecified < 1.8.02.004 | 1.8.02.004 |
| deltaww | diaenergie | < 1.8.02.004 | 1.8.02.004 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: vhost: fix hung thread due to erroneous iotlb entries
vendor_redhat·2024-07-16·CVSS 5.5
CVE-2022-48862 [MEDIUM] CWE-835 kernel: vhost: fix hung thread due to erroneous iotlb entries
kernel: vhost: fix hung thread due to erroneous iotlb entries
In the Linux kernel, the following vulnerability has been resolved:
vhost: fix hung thread due to erroneous iotlb entries
In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when
start is 0 and last is ULONG_MAX. One instance where it can happen
is when userspace sends an IOTLB message with iova=size=uaddr=0
(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,
last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,
iotlb_access_ok() loops indefinitely due to that erroneous entry.
Call Trace:
iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
vhost_worker+0x23d/0x3d0 driver
CISA ICS
Delta Electronics DIAEnergie (Update C)
cisa_ics·2022-04-28·CVSS 9.8
[CRITICAL] Delta Electronics DIAEnergie (Update C)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Delta Electronics DIAEnergie (Update C)
Last RevisedAugust 02, 2022
Alert CodeICSA-22-081-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Delta Electronics
- Equipment: DIAEnergie
- Vulnerabilities: Path Traversal, Incorrect Default Permissions, SQL Injection, Uncontrolled Search Path Element
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the advisory update titled ICSA-22-081-01 Delta Electronics DIAEnergie (Update B) that was published April 28, 2022, on the ICS webpage at cisa.gov/ics.
## 3. R
GHSA
GHSA-62jq-c3j8-5r6v: Delta Electronics DIAEnergie (All versions prior to 1
ghsa_unreviewed·2022-05-03
CVE-2022-1366 [CRITICAL] CWE-89 GHSA-62jq-c3j8-5r6v: Delta Electronics DIAEnergie (All versions prior to 1
Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a blind SQL injection vulnerability exists in HandlerChart.ashx. This allows an attacker to inject arbitrary SQL queries, retrieve and modify database contents, and execute system commands.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-05-02
Published