PT-2021-4938 · Advantech · Advantech R-Seenet

Yuri Kramarz

Published

2021-08-19

Updated

2022-07-22

CVE-2021-21924

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Advantech R-SeeNet (affected versions not specified)

Description The issue is related to the incorrect handling of the desc filter parameter in the device list component, which can lead to SQL injection. An attacker can exploit this by making authenticated HTTP requests or through cross-site request forgery. This allows a remote attacker to conduct cross-site scripting attacks by sending specially crafted SQL queries.

Recommendations As a temporary workaround, consider disabling the desc filter parameter in the affected component until a patch is available. Restrict access to the device list component to minimize the risk of exploitation. Avoid using the desc filter parameter in authenticated HTTP requests until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2021-05684

CVE-2021-21924

Affected Products

Advantech R-Seenet

PT-2021-4938 · Advantech · Advantech R-Seenet

CVE-2021-21924

Weakness Enumeration

Related Identifiers

Affected Products

References · 7