Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability

CVE-2023-52335

7.5HIGH

Key Information

Vendor: Advantech
Status: Iview
Vendor: CVE Published:; 22 November 2024

Summary

Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863.

Affected Version(s)

iView = 5.7.04

Refferences

https://www.zerodayinitiative.com/advisories/ZDI-24-610/

x_research-advisory

https://www.advantech.com/zh-tw/support/details/firmware?...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2024
Vulnerability Reserved
Jan 11, 2024

Collectors

NVD DatabaseMitre Database