CVE-2021-32932

Name of the Vulnerable Software and Affected Versions Advantech iView versions prior to v5.7.03.6182

Description The issue allows an unauthorized attacker to disclose information due to a SQL injection vulnerability. It affects various functions, including findUpdateDeviceListDetails, saveZtpConfig, deleteZtpConfig, getInventoryReportData, getAllActiveTraps, setDeviceAuthentication, getNextTrapPage, and getPSInventoryInfo in the NetworkServlet.

Recommendations For versions prior to v5.7.03.6182, update to version v5.7.03.6182 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable functions until a patch is available. Avoid using the vulnerable NetworkServlet endpoints, such as /NetworkServlet, until the issue is resolved. Restrict access to the SQL database to minimize the risk of exploitation.