ZDI-20-861: Advantech iView User addUser SQL Injection Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the User class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.
| Affected Software | Affected Version | How to fix |
|---|---|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of ZDI-20-861?
The severity of ZDI-20-861 has been rated as high due to its potential for sensitive information disclosure.
How do I fix ZDI-20-861?
To fix ZDI-20-861, apply the latest security patches provided by Advantech for iView.
Can ZDI-20-861 be exploited remotely?
Yes, ZDI-20-861 can be exploited remotely without authentication.
What types of information are at risk due to ZDI-20-861?
ZDI-20-861 can potentially disclose sensitive information related to user data and system configurations.
Is authentication required to exploit ZDI-20-861?
No, authentication is not required to exploit the ZDI-20-861 vulnerability.
- agent/references
- agent/severity
- agent/title
- agent/softwarecombine
- agent/type
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-20-861
- alias/ZDI-CAN-10702
- alias/CVE-2020-14497
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/advantech
- canonical/advantech iview