PT-2020-14044 · Advantech · Iview

Rgod

Published

2020-07-15

Updated

2020-07-21

CVE-2020-14497

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Advantech iView versions 5.6 and prior

Description The issue concerns multiple SQL injection vulnerabilities that allow an attacker to use an attacker-controlled string in the construction of SQL queries. This could enable the extraction of user credentials, reading or modification of information, and remote code execution.

Recommendations For Advantech iView versions 5.6 and prior, consider disabling or restricting access to SQL query construction until a patch is available. Restrict the use of attacker-controlled strings in SQL queries to minimize the risk of exploitation. Avoid using vulnerable functions or parameters that allow SQL injection until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-14497

ZDI-20-827

ZDI-20-828

ZDI-20-830

ZDI-20-832

ZDI-20-833

ZDI-20-835

ZDI-20-836

ZDI-20-837

ZDI-20-838

ZDI-20-839

ZDI-20-842

ZDI-20-843

ZDI-20-844

ZDI-20-845

ZDI-20-846

ZDI-20-848

ZDI-20-849

ZDI-20-850

ZDI-20-851

ZDI-20-852

ZDI-20-853

ZDI-20-854

ZDI-20-855

ZDI-20-856

ZDI-20-857

ZDI-20-858

ZDI-20-860

ZDI-20-861

ZDI-20-862

ZDI-20-863

ZDI-20-864

ZDI-20-865

ZDI-20-866

ZDI-20-868

ZDI-20-869

Affected Products

Iview

PT-2020-14044 · Advantech · Iview

CVE-2020-14497

Weakness Enumeration

Related Identifiers

Affected Products

References · 40