CVE-2022-3323

Name of the Vulnerable Software and Affected Versions Advantech iView version 5.7.04.6469

Description The issue is related to an SQL injection vulnerability. It exists within the "ConfigurationServlet" endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() and perform SQL injection. This could allow the attacker to retrieve the iView admin password.

Recommendations For Advantech iView version 5.7.04.6469, consider disabling the setConfiguration action in the "ConfigurationServlet" endpoint until a patch is available. Restrict access to the ConfigurationServlet endpoint to minimize the risk of exploitation. Avoid using the column value parameter in the setConfiguration action until the issue is resolved.