CVE-2021-21916

Name of the Vulnerable Software and Affected Versions Advantech R-SeeNet version 2.4.15

Description An exploitable SQL injection vulnerability exists in the 'group list' page. A specially-crafted HTTP request at the description filter parameter can trigger this issue. An attacker can make authenticated HTTP requests to exploit this vulnerability, which can be done as any authenticated user or through cross-site request forgery. The vulnerability is related to the lack of protection of the SQL query structure, allowing a remote attacker to execute arbitrary SQL queries.

Recommendations For Advantech R-SeeNet version 2.4.15, consider disabling access to the 'group list' page or restricting the use of the description filter parameter until a patch is available. Additionally, restrict access to authenticated HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.