CVE-2019-12720

Name of the Vulnerable Software and Affected Versions AUO SunVeillance Monitoring System versions prior to 1.1.9e

Description The issue allows an attacker to carry a SQL Injection payload to the server, enabling them to read privileged data. This is possible through several parameters, including MailAdd in "mvc send mail.aspx", plant no in "picture manage mvc.aspx" and "swapdl mvc.aspx", and Text Postal Code and Text Dis Code in "account management.aspx".

Recommendations For versions prior to 1.1.9e, update to version 1.1.9e or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "mvc send mail.aspx", "picture manage mvc.aspx", "swapdl mvc.aspx", and "account management.aspx", to minimize the risk of exploitation. Avoid using the vulnerable parameters MailAdd, plant no, Text Postal Code, and Text Dis Code in the affected endpoints until the issue is resolved.