PT-2021-5445 · Advantech · Advantech R-Seenet

Yuri Kramarz

Published

2021-08-19

Updated

2022-07-23

CVE-2021-21930

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Advantech R-SeeNet (affected versions not specified)

Description The issue is related to the incorrect handling of the sn filter parameter in the device list component, allowing an attacker to conduct SQL injection attacks. This can be triggered by making authenticated HTTP requests to the sn filter parameter, potentially through cross-site request forgery. An attacker can exploit this issue as any authenticated user.

Recommendations For Advantech R-SeeNet, consider disabling the sn filter parameter in the device list component until a patch is available to prevent exploitation. Restrict access to the device list component to minimize the risk of exploitation. Avoid using the sn filter parameter in authenticated HTTP requests until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2021-06289

CVE-2021-21930

Affected Products

Advantech R-Seenet

PT-2021-5445 · Advantech · Advantech R-Seenet

CVE-2021-21930

Weakness Enumeration

Related Identifiers

Affected Products

References · 7