CVE-2022-50592
CVE-2022-50592
9.3
CriticalPublished:
Last updated:
Source:disclosure@vulncheck.com
Analyzed
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- None
- Confidentiality (Vulnerable)
- High
- Integrity (Vulnerable)
- High
- Availability (Vulnerable)
- High
- Confidentiality (Subsequent)
- None
- Integrity (Subsequent)
- None
- Availability (Subsequent)
- None
Description
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
References
disclosure@vulncheck.com
https://blog.exodusintel.com/2022/03/01/advantech-iview-getinventoryreportdata-parameter-sql-injection-information-disclosure/disclosure@vulncheck.com
https://www.advantech.tw/support/details/firmware?id=1-HIPU-183disclosure@vulncheck.com
https://www.vulncheck.com/advisories/advantech-iview-getinventoryreportdata-parameter-sqli-rce