Improper neutralization of input within the affected product could lead to cross-site scripting.

SQL injection vulnerability exists in GetDIAE_astListParameters.

Path traversal attack is possible and write outside of the intended directory and may access sensitive information. If a file name is specified that already exists on the file system, then the original file will be overwritten.

SQL injection vulnerability exists in GetDIAE_slogListParameters.

SQL injection vulnerability exists in GetDIAE_unListParameters.

SQL injection vulnerability exists in the script Handler_CFG.ashx.

Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.

SQL injection vulnerability exists in the script DIAE_tagHandler.ashx.

The affected product DIAEnergie (versions prior to v1.9.03.001) contains improper authorization, which could allow an unauthorized user to bypass authorization and access privileged functionality.

SQL Injection in FtyInfoSetting.aspx in Delta Electronics DIAEnergie versions prior to v1.9.02.001 allows an attacker to inject SQL queries via Network