CVE-2021-21920

Name of the Vulnerable Software and Affected Versions Advantech R-SeeNet (affected versions not specified)

Description The issue is related to the lack of protection of the SQL query structure in the surname filter parameter of the user list.php file. This can be exploited by a remote attacker using a specially-crafted HTTP request, potentially leading to the disclosure of protected information. The vulnerability can be triggered by making authenticated HTTP requests to the surname filter parameter, either with an administrative account or through cross-site request forgery.

Recommendations For Advantech R-SeeNet, consider disabling the surname filter parameter in the user list.php file as a temporary workaround until a patch is available. Restrict access to the user list.php file to minimize the risk of exploitation. Avoid using the surname filter parameter in the affected HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.