CVE-2020-14497: Advantech iView TaskEditDeviceTable updateSelected SQL Injection Information Disclosure Vulnerability
First published: Wed Jul 15 2020(Updated: )
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Advantech iView | <=5.6 | |
| Advantech iView | ||
| Advantech iView Versions 5.6 and prior |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01
- https://www.zerodayinitiative.com/advisories/ZDI-20-827/
- https://www.zerodayinitiative.com/advisories/ZDI-20-828/
- https://www.zerodayinitiative.com/advisories/ZDI-20-830/
- https://www.zerodayinitiative.com/advisories/ZDI-20-832/
- https://www.zerodayinitiative.com/advisories/ZDI-20-833/
- https://www.zerodayinitiative.com/advisories/ZDI-20-835/
- https://www.zerodayinitiative.com/advisories/ZDI-20-836/
- https://www.zerodayinitiative.com/advisories/ZDI-20-837/
- https://www.zerodayinitiative.com/advisories/ZDI-20-838/
- https://www.zerodayinitiative.com/advisories/ZDI-20-839/
- https://www.zerodayinitiative.com/advisories/ZDI-20-842/
- https://www.zerodayinitiative.com/advisories/ZDI-20-843/
- https://www.zerodayinitiative.com/advisories/ZDI-20-844/
- https://www.zerodayinitiative.com/advisories/ZDI-20-845/
- https://www.zerodayinitiative.com/advisories/ZDI-20-846/
- https://www.zerodayinitiative.com/advisories/ZDI-20-847/
- https://www.zerodayinitiative.com/advisories/ZDI-20-848/
- https://www.zerodayinitiative.com/advisories/ZDI-20-849/
- https://www.zerodayinitiative.com/advisories/ZDI-20-850/
- https://www.zerodayinitiative.com/advisories/ZDI-20-851/
- https://www.zerodayinitiative.com/advisories/ZDI-20-852/
- https://www.zerodayinitiative.com/advisories/ZDI-20-853/
- https://www.zerodayinitiative.com/advisories/ZDI-20-854/
- https://www.zerodayinitiative.com/advisories/ZDI-20-855/
- https://www.zerodayinitiative.com/advisories/ZDI-20-856/
- https://www.zerodayinitiative.com/advisories/ZDI-20-857/
- https://www.zerodayinitiative.com/advisories/ZDI-20-858/
- https://www.zerodayinitiative.com/advisories/ZDI-20-860/
- https://www.zerodayinitiative.com/advisories/ZDI-20-861/
- https://www.zerodayinitiative.com/advisories/ZDI-20-862/
- https://www.zerodayinitiative.com/advisories/ZDI-20-863/
- https://www.zerodayinitiative.com/advisories/ZDI-20-864/
- https://www.zerodayinitiative.com/advisories/ZDI-20-865/
- https://www.zerodayinitiative.com/advisories/ZDI-20-866/
- https://www.zerodayinitiative.com/advisories/ZDI-20-868/
- https://www.zerodayinitiative.com/advisories/ZDI-20-869/
- https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33
- https://www.cisa.gov/news-events/ics-advisories/icsa-20-196-01 (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2020-14497.
What is the severity of CVE-2020-14497?
The severity of CVE-2020-14497 is critical with a CVSS score of 9.8.
What products are affected by CVE-2020-14497?
The affected product is Advantech iView with a version up to 5.6.
How does CVE-2020-14497 allow attackers to disclose sensitive information?
CVE-2020-14497 allows remote attackers to disclose sensitive information through SQL injection.
Is authentication required to exploit CVE-2020-14497?
No, authentication is not required to exploit CVE-2020-14497.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/first-publish-date
- agent/description
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-20-852
- alias/ZDI-CAN-10668
- alias/CVE-2020-14497
- agent/software-canonical-lookup
- alias/ZDI-20-851
- alias/ZDI-CAN-10661
- alias/ZDI-20-862
- alias/ZDI-CAN-10703
- alias/ZDI-20-868
- alias/ZDI-CAN-10707
- alias/ZDI-20-857
- alias/ZDI-CAN-10970
- alias/ZDI-20-860
- alias/ZDI-CAN-10700
- alias/ZDI-20-855
- alias/ZDI-CAN-10671
- alias/ZDI-20-843
- alias/ZDI-CAN-10626
- alias/ZDI-20-853
- alias/ZDI-CAN-10669
- alias/ZDI-20-856
- alias/ZDI-CAN-10672
- alias/ZDI-20-832
- alias/ZDI-CAN-10632
- alias/ZDI-20-854
- alias/ZDI-CAN-10670
- alias/ZDI-20-844
- alias/ZDI-CAN-10627
- alias/ZDI-20-830
- alias/ZDI-CAN-10637
- alias/ZDI-20-849
- alias/ZDI-CAN-10659
- alias/ZDI-20-863
- alias/ZDI-CAN-10704
- alias/ZDI-20-848
- alias/ZDI-CAN-10631
- alias/ZDI-20-861
- alias/ZDI-CAN-10702
- alias/ZDI-20-869
- alias/ZDI-CAN-10716
- alias/ZDI-20-837
- alias/ZDI-CAN-10657
- alias/ZDI-20-864
- alias/ZDI-CAN-10706
- agent/title
- alias/ZDI-20-833
- alias/ZDI-CAN-10633
- alias/ZDI-20-838
- alias/ZDI-CAN-10658
- alias/ZDI-20-846
- alias/ZDI-CAN-10629
- alias/ZDI-20-845
- alias/ZDI-CAN-10628
- alias/ZDI-20-835
- alias/ZDI-CAN-10655
- alias/ZDI-20-865
- alias/ZDI-CAN-10717
- alias/ZDI-20-866
- alias/ZDI-CAN-10708
- alias/ZDI-20-850
- alias/ZDI-CAN-10660
- alias/ZDI-20-828
- alias/ZDI-CAN-10635
- alias/ZDI-20-827
- alias/ZDI-CAN-10634
- alias/ZDI-20-842
- alias/ZDI-CAN-10625
- alias/ZDI-20-836
- alias/ZDI-CAN-10656
- alias/ZDI-20-839
- alias/ZDI-CAN-10621
- alias/ZDI-20-858
- alias/ZDI-CAN-10673
- agent/event
- agent/softwarecombine
- agent/references
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup-request
- vendor/advantech
- canonical/advantech iview
- version/advantech iview/5.6
- canonical/advantech iview versions 5.6 and prior