CVE-2019-18229

Name of the Vulnerable Software and Affected Versions Advantech WISE-PaaS/RMM versions 3.3.29 and prior

Description The issue is caused by a lack of sanitization of user-supplied input, leading to SQL injection vulnerabilities. This allows an attacker to disclose information. The vulnerabilities are present in various components, including SQLMgmt and fuzzySearch functions in different modules such as DeviceMgmt, RecoveryMgmt, ProtectionMgmt, and PowerMgmt.

Recommendations For Advantech WISE-PaaS/RMM versions 3.3.29 and prior, consider disabling the SQLMgmt and fuzzySearch functions until a patch is available to prevent SQL injection attacks. Restrict access to the affected modules to minimize the risk of exploitation. Avoid using user-supplied input in the updateData, insertData, getTableInfo, delData, CreateTable, and qryData functions within the SQLMgmt component, as well as the fuzzySearch function in the DeviceMgmt, RecoveryMgmt, ProtectionMgmt, and PowerMgmt components, until the issue is resolved.