CVE-2017-16716

Name of the Vulnerable Software and Affected Versions: Advantech WebAccess versions prior to 8.3

Description: A SQL Injection issue was discovered in Advantech WebAccess. The software does not properly sanitize its inputs for SQL commands, which can be exploited by a remote attacker. The vulnerability is related to the lack of protection of the SQL query structure in the ChkAdminViewUsrPwd1 component. Exploitation of the vulnerability may allow a remote attacker to execute arbitrary code using parameters such as ProjectName and Username.

Recommendations: For versions prior to 8.3, update to version 8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ChkAdminViewUsrPwd1 component and avoiding the use of parameters ProjectName and Username in the affected API endpoints until a patch is available.