CVE-2021-21936

Name of the Vulnerable Software and Affected Versions Advantech R-SeeNet (affected versions not specified)

Description The issue is related to a lack of protection in the SQL query structure, which can be exploited through a specially-crafted HTTP request, potentially leading to SQL injection. This can be triggered by making authenticated HTTP requests, specifically targeting the health alt filter parameter. An attacker can exploit this as any authenticated user or through cross-site request forgery. The vulnerability may allow a remote attacker to disclose protected information using a specially crafted request.

Recommendations As a temporary workaround, consider disabling access to the health alt filter parameter in the device list.php file until a patch is available. Restrict access to the device list.php file to minimize the risk of exploitation. Avoid using the health alt filter parameter in authenticated HTTP requests until the issue is resolved.