Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)

Title: Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)
Advisory ID: ZSL-2022-5703
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 14.04.2022
Summary
enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS.
Description
Input passed to the POST parameter 'Username' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site.
Vendor
Delta Controls Inc. - https://www.deltacontrols.com
Affected Version
3.40.3935
3.40.3706
3.33.4005
Tested On
DELTA enteliTOUCH
Vendor Status
[06.04.2022] Vulnerability discovered.
[06.04.2022] Vendor contacted.
[13.04.2022] No response from the vendor.
[14.04.2022] Public security advisory released.
PoC
entelitouch_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/166728/Delta-Controls-enteliTOUCH-3.40.3935-Cross-Site-Scripting.html
[2] https://www.exploit-db.com/exploits/50879
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/224333
[4] https://cxsecurity.com/issue/WLB-2022040065
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29732
[6] https://nvd.nist.gov/vuln/detail/CVE-2022-29732
Changelog
[14.04.2022] - Initial release
[20.04.2022] - Added reference [1], [2], [3] and [4]
[29.05.2022] - Added reference [5] and [6]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk