CVE-2022-3323: SQL Injection
First published: Tue Sep 27 2022(Updated: )
An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password.
Credit: vulnreport@tenable.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Advantech iView | =5.7.04.6469 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-3323.
What is the severity level of CVE-2022-3323?
The severity level of CVE-2022-3323 is high with a value of 7.5.
How does the SQL injection vulnerability in Advantech iView 5.7.04.6469 work?
The vulnerability allows an unauthenticated remote attacker to craft a special parameter to bypass checks in the ConfigurationServlet endpoint.
Which software version is affected by this vulnerability?
The vulnerability affects Advantech iView version 5.7.04.6469.
Is there a fix available for this vulnerability?
It is recommended to contact Advantech for a patch or mitigation guidance.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- vendor/advantech
- canonical/advantech iview
- version/advantech iview/5.7.04.6469