CVE-2020-13501

Name of the Vulnerable Software and Affected Versions eDNA Enterprise Data Historian version 3.0.1.2/7.5.4989.33053

Description An SQL injection issue exists in the CHaD.asmx web service functionality. Specially crafted SOAP web requests can cause SQL injections, resulting in data compromise. The InstanceName parameter in CHaD.asmx is vulnerable to unauthenticated SQL injection attacks.

Recommendations For eDNA Enterprise Data Historian version 3.0.1.2/7.5.4989.33053, consider restricting access to the CHaD.asmx web service functionality to minimize the risk of exploitation. Avoid using the InstanceName parameter in the affected web service until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.