CVE-2022-2135
Advantech iView
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information.
El producto afectado es vulnerable a múltiples inyecciones SQL que pueden permitir a un atacante no autorizado divulgar información
This vulnerability allows remote attackers to create arbitrary files on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the DESCRIPTION element of the setTaskEditorItem action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-06-20 CVE Reserved
- 2022-06-30 CVE Published
- 2024-09-16 CVE Updated
- 2024-11-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Advantech Search vendor "Advantech" | Iview Search vendor "Advantech" for product "Iview" | < 5.7.04.6469 Search vendor "Advantech" for product "Iview" and version " < 5.7.04.6469" | - |
Affected
| ||||||