Search criteria
102 vulnerabilities found for iView by Advantech
VAR-202206-2050
Vulnerability from variot - Updated: 2025-12-22 23:48The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the IPAddress and DNSNAME elements of the saveEditDeviceValues action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Advantech iView
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202206-2050",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "iview",
"scope": null,
"trust": 10.5,
"vendor": "advantech",
"version": null
},
{
"model": "iview",
"scope": "lt",
"trust": 1.0,
"vendor": "advantech",
"version": "5.7.04.6469"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"db": "ZDI",
"id": "ZDI-22-886"
},
{
"db": "NVD",
"id": "CVE-2022-2135"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "@rgod777",
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"db": "ZDI",
"id": "ZDI-22-886"
}
],
"trust": 7.0
},
"cve": "CVE-2022-2135",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-2135",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 8.4,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-2135",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.1,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-2135",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
],
"severity": [
{
"author": "ZDI",
"id": "CVE-2022-2135",
"trust": 8.4,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "CVE-2022-2135",
"trust": 2.1,
"value": "CRITICAL"
},
{
"author": "nvd@nist.gov",
"id": "CVE-2022-2135",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "ics-cert@hq.dhs.gov",
"id": "CVE-2022-2135",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202206-2713",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"db": "ZDI",
"id": "ZDI-22-886"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-2713"
},
{
"db": "NVD",
"id": "CVE-2022-2135"
},
{
"db": "NVD",
"id": "CVE-2022-2135"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the IPAddress and DNSNAME elements of the saveEditDeviceValues action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Advantech iView",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-2135"
},
{
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"db": "ZDI",
"id": "ZDI-22-886"
},
{
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"db": "VULHUB",
"id": "VHN-426269"
},
{
"db": "VULMON",
"id": "CVE-2022-2135"
}
],
"trust": 10.53
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-2135",
"trust": 12.3
},
{
"db": "ICS CERT",
"id": "ICSA-22-179-03",
"trust": 1.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16750",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-919",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16529",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-918",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16535",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-917",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16561",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-916",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16585",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-915",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16562",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-914",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16591",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-913",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16531",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-911",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16747",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-908",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16546",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-906",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16530",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-901",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16693",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-898",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16694",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-896",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16563",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-888",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-16560",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-886",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2022062918",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.3141",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202206-2713",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-426269",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2022-2135",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"db": "ZDI",
"id": "ZDI-22-886"
},
{
"db": "VULHUB",
"id": "VHN-426269"
},
{
"db": "VULMON",
"id": "CVE-2022-2135"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-2713"
},
{
"db": "NVD",
"id": "CVE-2022-2135"
}
]
},
"id": "VAR-202206-2050",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-426269"
}
],
"trust": 0.01
},
"last_update_date": "2025-12-22T23:48:47.890000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Advantech has issued an update to correct this vulnerability.",
"trust": 10.5,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"db": "ZDI",
"id": "ZDI-22-886"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-426269"
},
{
"db": "NVD",
"id": "CVE-2022-2135"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 12.3,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-2135/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.3141"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022062918"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"db": "ZDI",
"id": "ZDI-22-886"
},
{
"db": "VULHUB",
"id": "VHN-426269"
},
{
"db": "VULMON",
"id": "CVE-2022-2135"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-2713"
},
{
"db": "NVD",
"id": "CVE-2022-2135"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"db": "ZDI",
"id": "ZDI-22-886"
},
{
"db": "VULHUB",
"id": "VHN-426269"
},
{
"db": "VULMON",
"id": "CVE-2022-2135"
},
{
"db": "CNNVD",
"id": "CNNVD-202206-2713"
},
{
"db": "NVD",
"id": "CVE-2022-2135"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-886"
},
{
"date": "2022-07-22T00:00:00",
"db": "VULHUB",
"id": "VHN-426269"
},
{
"date": "2022-06-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202206-2713"
},
{
"date": "2022-07-22T15:15:08.117000",
"db": "NVD",
"id": "CVE-2022-2135"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-919"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-918"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-917"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-916"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-915"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-914"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-913"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-911"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-908"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-906"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-901"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-898"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-896"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-888"
},
{
"date": "2022-06-30T00:00:00",
"db": "ZDI",
"id": "ZDI-22-886"
},
{
"date": "2022-07-28T00:00:00",
"db": "VULHUB",
"id": "VHN-426269"
},
{
"date": "2022-07-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202206-2713"
},
{
"date": "2022-07-28T20:10:10.260000",
"db": "NVD",
"id": "CVE-2022-2135"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202206-2713"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech iView setTaskEditorItem DESCRIPTION SQL Injection Remote Code Execution Vulnerability",
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-919"
}
],
"trust": 0.7
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202206-2713"
}
],
"trust": 0.6
}
}
VAR-202007-0395
Vulnerability from variot - Updated: 2025-12-21 23:19Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the TaskEditDeviceTable class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Advantech iView is a device management application provided by Advantech
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "iview",
"scope": null,
"trust": 11.9,
"vendor": "advantech",
"version": null
},
{
"_id": null,
"model": "iview",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "5.6"
},
{
"_id": null,
"model": "iview",
"scope": "lte",
"trust": 0.6,
"vendor": "advantech",
"version": "\u003c=5.6"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-860"
},
{
"db": "ZDI",
"id": "ZDI-20-848"
},
{
"db": "ZDI",
"id": "ZDI-20-869"
},
{
"db": "ZDI",
"id": "ZDI-20-862"
},
{
"db": "ZDI",
"id": "ZDI-20-843"
},
{
"db": "ZDI",
"id": "ZDI-20-868"
},
{
"db": "ZDI",
"id": "ZDI-20-836"
},
{
"db": "ZDI",
"id": "ZDI-20-835"
},
{
"db": "ZDI",
"id": "ZDI-20-845"
},
{
"db": "ZDI",
"id": "ZDI-20-864"
},
{
"db": "ZDI",
"id": "ZDI-20-865"
},
{
"db": "ZDI",
"id": "ZDI-20-857"
},
{
"db": "ZDI",
"id": "ZDI-20-863"
},
{
"db": "ZDI",
"id": "ZDI-20-855"
},
{
"db": "ZDI",
"id": "ZDI-20-837"
},
{
"db": "ZDI",
"id": "ZDI-20-827"
},
{
"db": "ZDI",
"id": "ZDI-20-853"
},
{
"db": "CNVD",
"id": "CNVD-2020-42953"
},
{
"db": "NVD",
"id": "CVE-2020-14497"
}
]
},
"credits": {
"_id": null,
"data": "rgod",
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-860"
},
{
"db": "ZDI",
"id": "ZDI-20-848"
},
{
"db": "ZDI",
"id": "ZDI-20-869"
},
{
"db": "ZDI",
"id": "ZDI-20-862"
},
{
"db": "ZDI",
"id": "ZDI-20-843"
},
{
"db": "ZDI",
"id": "ZDI-20-868"
},
{
"db": "ZDI",
"id": "ZDI-20-836"
},
{
"db": "ZDI",
"id": "ZDI-20-835"
},
{
"db": "ZDI",
"id": "ZDI-20-845"
},
{
"db": "ZDI",
"id": "ZDI-20-864"
},
{
"db": "ZDI",
"id": "ZDI-20-865"
},
{
"db": "ZDI",
"id": "ZDI-20-857"
},
{
"db": "ZDI",
"id": "ZDI-20-863"
},
{
"db": "ZDI",
"id": "ZDI-20-855"
},
{
"db": "ZDI",
"id": "ZDI-20-837"
},
{
"db": "ZDI",
"id": "ZDI-20-827"
},
{
"db": "ZDI",
"id": "ZDI-20-853"
}
],
"trust": 11.9
},
"cve": "CVE-2020-14497",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2020-14497",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.0,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2020-42953",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2020-14497",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 7.0,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2020-14497",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 4.9,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2020-14497",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "ZDI",
"id": "CVE-2020-14497",
"trust": 7.0,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "CVE-2020-14497",
"trust": 4.9,
"value": "CRITICAL"
},
{
"author": "nvd@nist.gov",
"id": "CVE-2020-14497",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2020-42953",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202007-968",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-860"
},
{
"db": "ZDI",
"id": "ZDI-20-848"
},
{
"db": "ZDI",
"id": "ZDI-20-869"
},
{
"db": "ZDI",
"id": "ZDI-20-862"
},
{
"db": "ZDI",
"id": "ZDI-20-843"
},
{
"db": "ZDI",
"id": "ZDI-20-868"
},
{
"db": "ZDI",
"id": "ZDI-20-836"
},
{
"db": "ZDI",
"id": "ZDI-20-835"
},
{
"db": "ZDI",
"id": "ZDI-20-845"
},
{
"db": "ZDI",
"id": "ZDI-20-864"
},
{
"db": "ZDI",
"id": "ZDI-20-865"
},
{
"db": "ZDI",
"id": "ZDI-20-857"
},
{
"db": "ZDI",
"id": "ZDI-20-863"
},
{
"db": "ZDI",
"id": "ZDI-20-855"
},
{
"db": "ZDI",
"id": "ZDI-20-837"
},
{
"db": "ZDI",
"id": "ZDI-20-827"
},
{
"db": "ZDI",
"id": "ZDI-20-853"
},
{
"db": "CNVD",
"id": "CNVD-2020-42953"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-968"
},
{
"db": "NVD",
"id": "CVE-2020-14497"
}
]
},
"description": {
"_id": null,
"data": "Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the TaskEditDeviceTable class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Advantech iView is a device management application provided by Advantech",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-14497"
},
{
"db": "ZDI",
"id": "ZDI-20-848"
},
{
"db": "ZDI",
"id": "ZDI-20-853"
},
{
"db": "ZDI",
"id": "ZDI-20-827"
},
{
"db": "ZDI",
"id": "ZDI-20-837"
},
{
"db": "ZDI",
"id": "ZDI-20-855"
},
{
"db": "ZDI",
"id": "ZDI-20-863"
},
{
"db": "ZDI",
"id": "ZDI-20-857"
},
{
"db": "ZDI",
"id": "ZDI-20-865"
},
{
"db": "ZDI",
"id": "ZDI-20-860"
},
{
"db": "ZDI",
"id": "ZDI-20-845"
},
{
"db": "ZDI",
"id": "ZDI-20-835"
},
{
"db": "ZDI",
"id": "ZDI-20-836"
},
{
"db": "ZDI",
"id": "ZDI-20-868"
},
{
"db": "ZDI",
"id": "ZDI-20-843"
},
{
"db": "ZDI",
"id": "ZDI-20-862"
},
{
"db": "ZDI",
"id": "ZDI-20-869"
},
{
"db": "ZDI",
"id": "ZDI-20-864"
},
{
"db": "CNVD",
"id": "CNVD-2020-42953"
}
],
"trust": 12.15
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2020-14497",
"trust": 14.1
},
{
"db": "ZDI",
"id": "ZDI-20-860",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-848",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-869",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-862",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-843",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-868",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-836",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-835",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-845",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-864",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-865",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-857",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-863",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-855",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-837",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-827",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-853",
"trust": 2.3
},
{
"db": "ZDI",
"id": "ZDI-20-852",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-833",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-854",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-849",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-839",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-851",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-838",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-842",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-861",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-847",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-832",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-858",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-830",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-866",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-828",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-850",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-844",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-846",
"trust": 1.6
},
{
"db": "ZDI",
"id": "ZDI-20-856",
"trust": 1.6
},
{
"db": "ICS CERT",
"id": "ICSA-20-196-01",
"trust": 1.6
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10700",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10631",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10716",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10703",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10626",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10707",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10656",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10655",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10628",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10706",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10717",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10970",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10704",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10671",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10657",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10634",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-10669",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2020-42953",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2382",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "47245",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202007-968",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-860"
},
{
"db": "ZDI",
"id": "ZDI-20-848"
},
{
"db": "ZDI",
"id": "ZDI-20-869"
},
{
"db": "ZDI",
"id": "ZDI-20-862"
},
{
"db": "ZDI",
"id": "ZDI-20-843"
},
{
"db": "ZDI",
"id": "ZDI-20-868"
},
{
"db": "ZDI",
"id": "ZDI-20-836"
},
{
"db": "ZDI",
"id": "ZDI-20-835"
},
{
"db": "ZDI",
"id": "ZDI-20-845"
},
{
"db": "ZDI",
"id": "ZDI-20-864"
},
{
"db": "ZDI",
"id": "ZDI-20-865"
},
{
"db": "ZDI",
"id": "ZDI-20-857"
},
{
"db": "ZDI",
"id": "ZDI-20-863"
},
{
"db": "ZDI",
"id": "ZDI-20-855"
},
{
"db": "ZDI",
"id": "ZDI-20-837"
},
{
"db": "ZDI",
"id": "ZDI-20-827"
},
{
"db": "ZDI",
"id": "ZDI-20-853"
},
{
"db": "CNVD",
"id": "CNVD-2020-42953"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-968"
},
{
"db": "NVD",
"id": "CVE-2020-14497"
}
]
},
"id": "VAR-202007-0395",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-42953"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-42953"
}
]
},
"last_update_date": "2025-12-21T23:19:44.869000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Advantech has issued an update to correct this vulnerability.",
"trust": 11.9,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33"
},
{
"title": "Patch for Advantech iView SQL injection vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/227467"
},
{
"title": "Advantech iView SQL Repair measures for injecting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=124494"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-860"
},
{
"db": "ZDI",
"id": "ZDI-20-848"
},
{
"db": "ZDI",
"id": "ZDI-20-869"
},
{
"db": "ZDI",
"id": "ZDI-20-862"
},
{
"db": "ZDI",
"id": "ZDI-20-843"
},
{
"db": "ZDI",
"id": "ZDI-20-868"
},
{
"db": "ZDI",
"id": "ZDI-20-836"
},
{
"db": "ZDI",
"id": "ZDI-20-835"
},
{
"db": "ZDI",
"id": "ZDI-20-845"
},
{
"db": "ZDI",
"id": "ZDI-20-864"
},
{
"db": "ZDI",
"id": "ZDI-20-865"
},
{
"db": "ZDI",
"id": "ZDI-20-857"
},
{
"db": "ZDI",
"id": "ZDI-20-863"
},
{
"db": "ZDI",
"id": "ZDI-20-855"
},
{
"db": "ZDI",
"id": "ZDI-20-837"
},
{
"db": "ZDI",
"id": "ZDI-20-827"
},
{
"db": "ZDI",
"id": "ZDI-20-853"
},
{
"db": "CNVD",
"id": "CNVD-2020-42953"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-968"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-89",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-14497"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 11.9,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33"
},
{
"trust": 2.2,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01"
},
{
"trust": 2.2,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-869/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-862/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-830/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-852/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-860/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-850/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-837/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-827/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-849/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-835/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-857/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-847/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-833/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-855/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-845/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-853/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-843/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-865/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-839/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-851/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-863/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-861/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-848/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-838/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-846/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-868/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-836/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-858/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-844/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-866/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-856/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-842/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-864/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-832/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-854/"
},
{
"trust": 1.6,
"url": "https://www.zerodayinitiative.com/advisories/zdi-20-828/"
},
{
"trust": 1.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14497"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2382/"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/47245"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-20-860"
},
{
"db": "ZDI",
"id": "ZDI-20-848"
},
{
"db": "ZDI",
"id": "ZDI-20-869"
},
{
"db": "ZDI",
"id": "ZDI-20-862"
},
{
"db": "ZDI",
"id": "ZDI-20-843"
},
{
"db": "ZDI",
"id": "ZDI-20-868"
},
{
"db": "ZDI",
"id": "ZDI-20-836"
},
{
"db": "ZDI",
"id": "ZDI-20-835"
},
{
"db": "ZDI",
"id": "ZDI-20-845"
},
{
"db": "ZDI",
"id": "ZDI-20-864"
},
{
"db": "ZDI",
"id": "ZDI-20-865"
},
{
"db": "ZDI",
"id": "ZDI-20-857"
},
{
"db": "ZDI",
"id": "ZDI-20-863"
},
{
"db": "ZDI",
"id": "ZDI-20-855"
},
{
"db": "ZDI",
"id": "ZDI-20-837"
},
{
"db": "ZDI",
"id": "ZDI-20-827"
},
{
"db": "ZDI",
"id": "ZDI-20-853"
},
{
"db": "CNVD",
"id": "CNVD-2020-42953"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-968"
},
{
"db": "NVD",
"id": "CVE-2020-14497"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "ZDI",
"id": "ZDI-20-860",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-848",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-869",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-862",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-843",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-868",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-836",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-835",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-845",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-864",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-865",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-857",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-863",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-855",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-837",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-827",
"ident": null
},
{
"db": "ZDI",
"id": "ZDI-20-853",
"ident": null
},
{
"db": "CNVD",
"id": "CNVD-2020-42953",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-202007-968",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2020-14497",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-860",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-848",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-869",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-862",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-843",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-868",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-836",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-835",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-845",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-864",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-865",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-857",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-863",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-855",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-837",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-827",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-853",
"ident": null
},
{
"date": "2020-07-29T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-42953",
"ident": null
},
{
"date": "2020-07-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202007-968",
"ident": null
},
{
"date": "2020-07-15T02:15:12.547000",
"db": "NVD",
"id": "CVE-2020-14497",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-860",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-848",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-869",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-862",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-843",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-868",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-836",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-835",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-845",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-864",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-865",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-857",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-863",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-855",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-837",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-827",
"ident": null
},
{
"date": "2020-07-16T00:00:00",
"db": "ZDI",
"id": "ZDI-20-853",
"ident": null
},
{
"date": "2020-07-29T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-42953",
"ident": null
},
{
"date": "2020-12-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202007-968",
"ident": null
},
{
"date": "2024-11-21T05:03:23.890000",
"db": "NVD",
"id": "CVE-2020-14497",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202007-968"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "Advantech iView SQL injection vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-42953"
},
{
"db": "CNNVD",
"id": "CNNVD-202007-968"
}
],
"trust": 1.2
},
"type": {
"_id": null,
"data": "SQL injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202007-968"
}
],
"trust": 0.6
}
}
VAR-202406-0276
Vulnerability from variot - Updated: 2025-12-20 23:36Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863. Advantech Co., Ltd. Advantech iView is a software developed by Advantech, primarily used to manage B+B SmartWorx series devices via a simple network management protocol
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202406-0276",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "iview",
"scope": "lt",
"trust": 1.0,
"vendor": "advantech",
"version": "5.7.04.6752"
},
{
"model": "iview",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": "5.7.04.6752"
},
{
"model": "iview",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "iview",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "iview",
"scope": null,
"trust": 0.7,
"vendor": "advantech",
"version": null
},
{
"model": "iview",
"scope": "eq",
"trust": 0.6,
"vendor": "advantech",
"version": "*"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"db": "CNVD",
"id": "CNVD-2025-30966"
},
{
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"db": "NVD",
"id": "CVE-2023-52335"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Anonymous",
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-610"
}
],
"trust": 0.7
},
"cve": "CVE-2023-52335",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2025-30966",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "zdi-disclosures@trendmicro.com",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2023-52335",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2023-52335",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2023-52335",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "zdi-disclosures@trendmicro.com",
"id": "CVE-2023-52335",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "nvd@nist.gov",
"id": "CVE-2023-52335",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2023-52335",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2023-52335",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2025-30966",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"db": "CNVD",
"id": "CNVD-2025-30966"
},
{
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"db": "NVD",
"id": "CVE-2023-52335"
},
{
"db": "NVD",
"id": "CVE-2023-52335"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863. Advantech Co., Ltd. Advantech iView is a software developed by Advantech, primarily used to manage B+B SmartWorx series devices via a simple network management protocol",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-52335"
},
{
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"db": "CNVD",
"id": "CNVD-2025-30966"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-52335",
"trust": 3.9
},
{
"db": "ZDI",
"id": "ZDI-24-610",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2024-016112",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-17863",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2025-30966",
"trust": 0.6
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"db": "CNVD",
"id": "CNVD-2025-30966"
},
{
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"db": "NVD",
"id": "CVE-2023-52335"
}
]
},
"id": "VAR-202406-0276",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-30966"
}
],
"trust": 0.06
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2025-30966"
}
]
},
"last_update_date": "2025-12-20T23:36:33.060000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Advantech has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183"
},
{
"title": "Patch for Advantech iView SQL Injection Vulnerability (CNVD-2025-30966)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/782911"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"db": "CNVD",
"id": "CNVD-2025-30966"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-89",
"trust": 1.0
},
{
"problemtype": "SQL injection (CWE-89) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"db": "NVD",
"id": "CVE-2023-52335"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-hipu-183"
},
{
"trust": 2.4,
"url": "https://www.zerodayinitiative.com/advisories/zdi-24-610/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-52335"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"db": "CNVD",
"id": "CNVD-2025-30966"
},
{
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"db": "NVD",
"id": "CVE-2023-52335"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"db": "CNVD",
"id": "CNVD-2025-30966"
},
{
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"db": "NVD",
"id": "CVE-2023-52335"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-06-12T00:00:00",
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"date": "2025-12-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-30966"
},
{
"date": "2025-01-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"date": "2024-11-22T20:15:07.927000",
"db": "NVD",
"id": "CVE-2023-52335"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-08-15T00:00:00",
"db": "ZDI",
"id": "ZDI-24-610"
},
{
"date": "2025-12-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2025-30966"
},
{
"date": "2025-01-10T05:26:00",
"db": "JVNDB",
"id": "JVNDB-2024-016112"
},
{
"date": "2025-01-09T16:05:53.673000",
"db": "NVD",
"id": "CVE-2023-52335"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech Co., Ltd. \u00a0iView\u00a0 In \u00a0SQL\u00a0 Injection vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2024-016112"
}
],
"trust": 0.8
}
}
CVE-2025-13373 (GCVE-0-2025-13373)
Vulnerability from nvd – Published: 2025-12-04 22:50 – Updated: 2025-12-05 14:41
VLAI?
Title
Advantech iView SQL Injection
Summary
Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
m00nback reported this vulnerability to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T14:41:06.639585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T14:41:15.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"status": "affected",
"version": "5.7.05.7057"
},
{
"status": "unaffected",
"version": "5.8.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "m00nback reported this vulnerability to CISA."
}
],
"datePublic": "2025-12-04T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.\u003c/span\u003e"
}
],
"value": "Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:50:36.079Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech recommends users update to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183\"\u003eiView v5.8.1\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to iView v5.8.1 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-25-338-07",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13373",
"datePublished": "2025-12-04T22:50:36.079Z",
"dateReserved": "2025-11-18T18:48:07.936Z",
"dateUpdated": "2025-12-05T14:41:15.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50595 (GCVE-0-2022-50595)
Vulnerability from nvd – Published: 2025-11-06 19:58 – Updated: 2025-11-15 23:59
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 ztp_search_value Parameter SQL Injection RCE
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_search_value’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:32:39.463045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:33:36.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018ztp_search_value\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:59.400Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_search_value-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpsearchvalue-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 ztp_search_value Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50595",
"datePublished": "2025-11-06T19:58:23.068Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:59.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50594 (GCVE-0-2022-50594)
Vulnerability from nvd – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:59
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 data Parameter SQL Injection Information Disclosure
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:09:23.817460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:10:30.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018data\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:29.701Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-page_action_service-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-data-parameter-sqli-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 data Parameter SQL Injection Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50594",
"datePublished": "2025-11-06T19:57:00.425Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:29.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50593 (GCVE-0-2022-50593)
Vulnerability from nvd – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:59
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 search_term Parameter SQL Injection RCE
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘search_term’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:53:42.734371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:02:21.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018data\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018search_term\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018search_term\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:11.781Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-search_term-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-searchterm-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 search_term Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50593",
"datePublished": "2025-11-06T19:57:44.271Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:11.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50592 (GCVE-0-2022-50592)
Vulnerability from nvd – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:58
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 getInventoryReportData Parameter SQL Injection RCE
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50592",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:06:59.646737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:07:38.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018getInventoryReportData\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:58:49.386Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-getinventoryreportdata-parameter-sql-injection-information-disclosure/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-getinventoryreportdata-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 getInventoryReportData Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50592",
"datePublished": "2025-11-06T19:57:20.528Z",
"dateReserved": "2025-11-05T16:58:35.656Z",
"dateUpdated": "2025-11-15T23:58:49.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50591 (GCVE-0-2022-50591)
Vulnerability from nvd – Published: 2025-11-06 19:58 – Updated: 2025-11-15 23:58
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 ztp_config_id Parameter SQL Injection Information Disclosure
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:36:05.770888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:36:15.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018ztp_config_id\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:58:29.068Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_config_id-parameter-sql-injection-information-disclosure-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpconfigid-parameter-sqli-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 ztp_config_id Parameter SQL Injection Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50591",
"datePublished": "2025-11-06T19:58:06.223Z",
"dateReserved": "2025-11-05T16:58:35.656Z",
"dateUpdated": "2025-11-15T23:58:29.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53519 (GCVE-0-2025-53519)
Vulnerability from nvd – Published: 2025-07-10 23:14 – Updated: 2025-07-11 17:50
VLAI?
Title
Advantech iView Cross-site Scripting
Summary
A vulnerability exists in Advantech iView versions prior to 5.7.05 build
7057, which could allow a reflected cross-site scripting (XSS) attack.
By manipulating specific parameters, an attacker could execute
unauthorized scripts in the user's browser, potentially leading to
information disclosure or other malicious activities.
Severity ?
5.4 (Medium)
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T17:49:52.229018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T17:50:07.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy manipulating specific parameters, an attacker could execute \nunauthorized scripts in the user\u0027s browser, potentially leading to \ninformation disclosure or other malicious activities."
}
],
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy manipulating specific parameters, an attacker could execute \nunauthorized scripts in the user\u0027s browser, potentially leading to \ninformation disclosure or other malicious activities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:14:37.185Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53519",
"datePublished": "2025-07-10T23:14:37.185Z",
"dateReserved": "2025-07-02T15:12:58.594Z",
"dateUpdated": "2025-07-11T17:50:07.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53515 (GCVE-0-2025-53515)
Vulnerability from nvd – Published: 2025-07-10 23:25 – Updated: 2025-07-11 13:57
VLAI?
Title
Advantech iView SQL Injection
Summary
A vulnerability exists in Advantech iView that allows for SQL injection
and remote code execution through NetworkServlet.archiveTrap(). This
issue requires an authenticated attacker with at least user-level
privileges. Certain input parameters are not sanitized, allowing an
attacker to perform SQL injection and potentially execute code in the
context of the 'nt authority\local service' account.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53515",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:57:29.867588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:57:41.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for SQL injection \nand remote code execution through NetworkServlet.archiveTrap(). This \nissue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not sanitized, allowing an \nattacker to perform SQL injection and potentially execute code in the \ncontext of the \u0027nt authority\\local service\u0027 account."
}
],
"value": "A vulnerability exists in Advantech iView that allows for SQL injection \nand remote code execution through NetworkServlet.archiveTrap(). This \nissue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not sanitized, allowing an \nattacker to perform SQL injection and potentially execute code in the \ncontext of the \u0027nt authority\\local service\u0027 account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:25:51.561Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53515",
"datePublished": "2025-07-10T23:25:51.561Z",
"dateReserved": "2025-07-02T15:12:58.638Z",
"dateUpdated": "2025-07-11T13:57:41.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53509 (GCVE-0-2025-53509)
Vulnerability from nvd – Published: 2025-07-10 23:29 – Updated: 2025-07-11 13:29
VLAI?
Title
Advantech iView Argument Injection
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in the NetworkServlet.restoreDatabase(). This issue requires
an authenticated attacker with at least user-level privileges. An input
parameter can be used directly in a command without proper sanitization,
allowing arbitrary arguments to be injected. This can result in
information disclosure, including sensitive database credentials.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:30.324999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:37.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
}
],
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:29:10.103Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Argument Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53509",
"datePublished": "2025-07-10T23:29:10.103Z",
"dateReserved": "2025-07-02T15:12:58.651Z",
"dateUpdated": "2025-07-11T13:29:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53475 (GCVE-0-2025-53475)
Vulnerability from nvd – Published: 2025-07-10 23:23 – Updated: 2025-07-11 13:39
VLAI?
Title
Advantech iView SQL Injection
Summary
A vulnerability exists in Advantech iView that could allow for SQL
injection and remote code execution through
NetworkServlet.getNextTrapPage(). This issue requires an authenticated
attacker with at least user-level privileges. Certain parameters in this
function are not properly sanitized, allowing an attacker to perform
SQL injection and potentially execute code in the context of the 'nt
authority\local service' account.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:38:26.738460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:39:39.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that could allow for SQL \ninjection and remote code execution through \nNetworkServlet.getNextTrapPage(). This issue requires an authenticated \nattacker with at least user-level privileges. Certain parameters in this\n function are not properly sanitized, allowing an attacker to perform \nSQL injection and potentially execute code in the context of the \u0027nt \nauthority\\local service\u0027 account."
}
],
"value": "A vulnerability exists in Advantech iView that could allow for SQL \ninjection and remote code execution through \nNetworkServlet.getNextTrapPage(). This issue requires an authenticated \nattacker with at least user-level privileges. Certain parameters in this\n function are not properly sanitized, allowing an attacker to perform \nSQL injection and potentially execute code in the context of the \u0027nt \nauthority\\local service\u0027 account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:23:38.421Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53475",
"datePublished": "2025-07-10T23:23:38.421Z",
"dateReserved": "2025-07-02T15:12:58.621Z",
"dateUpdated": "2025-07-11T13:39:39.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53397 (GCVE-0-2025-53397)
Vulnerability from nvd – Published: 2025-07-10 23:13 – Updated: 2025-07-11 13:58
VLAI?
Title
Advantech iView Cross-site Scripting
Summary
A vulnerability exists in Advantech iView versions prior to 5.7.05 build
7057, which could allow a reflected cross-site scripting (XSS) attack.
By exploiting this flaw, an attacker could execute unauthorized scripts
in the user's browser, potentially leading to information disclosure or
other malicious activities.
Severity ?
5.4 (Medium)
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53397",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:58:14.600623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:58:21.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy exploiting this flaw, an attacker could execute unauthorized scripts \nin the user\u0027s browser, potentially leading to information disclosure or \nother malicious activities."
}
],
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy exploiting this flaw, an attacker could execute unauthorized scripts \nin the user\u0027s browser, potentially leading to information disclosure or \nother malicious activities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:13:27.593Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53397",
"datePublished": "2025-07-10T23:13:27.593Z",
"dateReserved": "2025-07-02T15:12:58.579Z",
"dateUpdated": "2025-07-11T13:58:21.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52577 (GCVE-0-2025-52577)
Vulnerability from nvd – Published: 2025-07-10 23:24 – Updated: 2025-07-11 13:39
VLAI?
Title
Advantech iView SQL Injection
Summary
A vulnerability exists in Advantech iView that could allow SQL injection
and remote code execution through NetworkServlet.archiveTrapRange().
This issue requires an authenticated attacker with at least user-level
privileges. Certain input parameters are not properly sanitized,
allowing an attacker to perform SQL injection and potentially execute
code in the context of the 'nt authority\local service' account.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:38:17.239954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:39:11.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that could allow SQL injection\n and remote code execution through NetworkServlet.archiveTrapRange(). \nThis issue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not properly sanitized, \nallowing an attacker to perform SQL injection and potentially execute \ncode in the context of the \u0027nt authority\\local service\u0027 account."
}
],
"value": "A vulnerability exists in Advantech iView that could allow SQL injection\n and remote code execution through NetworkServlet.archiveTrapRange(). \nThis issue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not properly sanitized, \nallowing an attacker to perform SQL injection and potentially execute \ncode in the context of the \u0027nt authority\\local service\u0027 account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:24:42.965Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-52577",
"datePublished": "2025-07-10T23:24:42.965Z",
"dateReserved": "2025-07-02T15:12:58.630Z",
"dateUpdated": "2025-07-11T13:39:11.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52459 (GCVE-0-2025-52459)
Vulnerability from nvd – Published: 2025-07-10 23:28 – Updated: 2025-07-11 13:29
VLAI?
Title
Advantech iView Argument Injection
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in NetworkServlet.backupDatabase(). This issue requires an
authenticated attacker with at least user-level privileges. Certain
parameters can be used directly in a command without proper
sanitization, allowing arbitrary arguments to be injected. This can
result in information disclosure, including sensitive database
credentials.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:50.282666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:56.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in NetworkServlet.backupDatabase(). This issue requires an \nauthenticated attacker with at least user-level privileges. Certain \nparameters can be used directly in a command without proper \nsanitization, allowing arbitrary arguments to be injected. This can \nresult in information disclosure, including sensitive database \ncredentials."
}
],
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in NetworkServlet.backupDatabase(). This issue requires an \nauthenticated attacker with at least user-level privileges. Certain \nparameters can be used directly in a command without proper \nsanitization, allowing arbitrary arguments to be injected. This can \nresult in information disclosure, including sensitive database \ncredentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:28:08.679Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Argument Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-52459",
"datePublished": "2025-07-10T23:28:08.679Z",
"dateReserved": "2025-07-02T15:12:58.643Z",
"dateUpdated": "2025-07-11T13:29:56.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48891 (GCVE-0-2025-48891)
Vulnerability from nvd – Published: 2025-07-10 23:17 – Updated: 2025-07-11 13:42
VLAI?
Title
Advantech iView SQL Injection
Summary
A vulnerability exists in Advantech iView that could allow for SQL
injection through the CUtils.checkSQLInjection() function. This
vulnerability can be exploited by an authenticated attacker with at
least user-level privileges, potentially leading to information
disclosure or a denial-of-service condition.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:38:49.578799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:42:37.695Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that could allow for SQL \ninjection through the CUtils.checkSQLInjection() function. This \nvulnerability can be exploited by an authenticated attacker with at \nleast user-level privileges, potentially leading to information \ndisclosure or a denial-of-service condition."
}
],
"value": "A vulnerability exists in Advantech iView that could allow for SQL \ninjection through the CUtils.checkSQLInjection() function. This \nvulnerability can be exploited by an authenticated attacker with at \nleast user-level privileges, potentially leading to information \ndisclosure or a denial-of-service condition."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:17:45.815Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-48891",
"datePublished": "2025-07-10T23:17:45.815Z",
"dateReserved": "2025-07-02T15:12:58.607Z",
"dateUpdated": "2025-07-11T13:42:37.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46704 (GCVE-0-2025-46704)
Vulnerability from nvd – Published: 2025-07-10 23:19 – Updated: 2025-07-11 13:40
VLAI?
Title
Advantech iView Path Traversal
Summary
A vulnerability exists in Advantech iView in
NetworkServlet.processImportRequest() that could allow for a directory
traversal attack. This issue requires an authenticated attacker with at
least user-level privileges. A specific parameter is not properly
sanitized or normalized, potentially allowing an attacker to determine
the existence of arbitrary files on the server.
Severity ?
4.3 (Medium)
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:38:39.368395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:40:07.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView in \nNetworkServlet.processImportRequest() that could allow for a directory \ntraversal attack. This issue requires an authenticated attacker with at \nleast user-level privileges. A specific parameter is not properly \nsanitized or normalized, potentially allowing an attacker to determine \nthe existence of arbitrary files on the server."
}
],
"value": "A vulnerability exists in Advantech iView in \nNetworkServlet.processImportRequest() that could allow for a directory \ntraversal attack. This issue requires an authenticated attacker with at \nleast user-level privileges. A specific parameter is not properly \nsanitized or normalized, potentially allowing an attacker to determine \nthe existence of arbitrary files on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:19:32.390Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-46704",
"datePublished": "2025-07-10T23:19:32.390Z",
"dateReserved": "2025-07-02T15:12:58.615Z",
"dateUpdated": "2025-07-11T13:40:07.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41442 (GCVE-0-2025-41442)
Vulnerability from nvd – Published: 2025-07-10 23:15 – Updated: 2025-07-11 17:50
VLAI?
Title
Advantech iView Cross-site Scripting
Summary
A vulnerability exists in Advantech iView versions prior to 5.7.05 build
7057, which could allow a reflected cross-site scripting (XSS) attack.
By manipulating certain input parameters, an attacker could execute
unauthorized scripts in the user's browser, potentially leading to
information disclosure or other malicious activities.
Severity ?
5.4 (Medium)
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41442",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T17:49:43.275598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T17:50:31.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy manipulating certain input parameters, an attacker could execute \nunauthorized scripts in the user\u0027s browser, potentially leading to \ninformation disclosure or other malicious activities."
}
],
"value": "A vulnerability exists in Advantech iView versions prior to 5.7.05 build\n 7057, which could allow a reflected cross-site scripting (XSS) attack. \nBy manipulating certain input parameters, an attacker could execute \nunauthorized scripts in the user\u0027s browser, potentially leading to \ninformation disclosure or other malicious activities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:15:27.981Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-41442",
"datePublished": "2025-07-10T23:15:27.981Z",
"dateReserved": "2025-07-02T15:12:58.600Z",
"dateUpdated": "2025-07-11T17:50:31.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-13373 (GCVE-0-2025-13373)
Vulnerability from cvelistv5 – Published: 2025-12-04 22:50 – Updated: 2025-12-05 14:41
VLAI?
Title
Advantech iView SQL Injection
Summary
Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Credits
m00nback reported this vulnerability to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-05T14:41:06.639585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T14:41:15.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"status": "affected",
"version": "5.7.05.7057"
},
{
"status": "unaffected",
"version": "5.8.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "m00nback reported this vulnerability to CISA."
}
],
"datePublic": "2025-12-04T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.\u003c/span\u003e"
}
],
"value": "Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:50:36.079Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-07"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-338-07.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech recommends users update to \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183\"\u003eiView v5.8.1\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to iView v5.8.1 https://www.advantech.com/zh-tw/support/details/firmware ."
}
],
"source": {
"advisory": "ICSA-25-338-07",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-13373",
"datePublished": "2025-12-04T22:50:36.079Z",
"dateReserved": "2025-11-18T18:48:07.936Z",
"dateUpdated": "2025-12-05T14:41:15.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50595 (GCVE-0-2022-50595)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:58 – Updated: 2025-11-15 23:59
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 ztp_search_value Parameter SQL Injection RCE
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_search_value’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:32:39.463045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:33:36.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018ztp_search_value\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_search_value\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:59.400Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_search_value-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpsearchvalue-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 ztp_search_value Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50595",
"datePublished": "2025-11-06T19:58:23.068Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:59.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50591 (GCVE-0-2022-50591)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:58 – Updated: 2025-11-15 23:58
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 ztp_config_id Parameter SQL Injection Information Disclosure
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:36:05.770888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T20:36:15.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018ztp_config_id\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018ztp_config_id\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:58:29.068Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-ztp_config_id-parameter-sql-injection-information-disclosure-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-ztpconfigid-parameter-sqli-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 ztp_config_id Parameter SQL Injection Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50591",
"datePublished": "2025-11-06T19:58:06.223Z",
"dateReserved": "2025-11-05T16:58:35.656Z",
"dateUpdated": "2025-11-15T23:58:29.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50593 (GCVE-0-2022-50593)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:59
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 search_term Parameter SQL Injection RCE
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘search_term’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T20:53:42.734371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:02:21.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018data\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018search_term\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018search_term\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:11.781Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-search_term-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-searchterm-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 search_term Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50593",
"datePublished": "2025-11-06T19:57:44.271Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:11.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50592 (GCVE-0-2022-50592)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:58
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 getInventoryReportData Parameter SQL Injection RCE
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50592",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:06:59.646737Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:07:38.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018getInventoryReportData\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018getInventoryReportData\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for remote code execution with administrator privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:58:49.386Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-getinventoryreportdata-parameter-sql-injection-information-disclosure/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-getinventoryreportdata-parameter-sqli-rce"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 getInventoryReportData Parameter SQL Injection RCE",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50592",
"datePublished": "2025-11-06T19:57:20.528Z",
"dateReserved": "2025-11-05T16:58:35.656Z",
"dateUpdated": "2025-11-15T23:58:49.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50594 (GCVE-0-2022-50594)
Vulnerability from cvelistv5 – Published: 2025-11-06 19:57 – Updated: 2025-11-15 23:59
VLAI?
Title
Advantech iView < v5.7.04 Build 6425 data Parameter SQL Injection Information Disclosure
Summary
Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Exodus Intelligence
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:09:23.817460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:10:30.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"\u2018NetworkServlet\u2019 endpoint",
"\u2018data\u2019 parameter"
],
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.04 build 6425",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.7.04.6425",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Exodus Intelligence"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech iView versions prior to v5.7.04 build 6425\u0026nbsp;contain a vulnerability \u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003ewithin the SNMP management tool\u0026nbsp;that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords.\u003c/span\u003e"
}
],
"value": "Advantech iView versions prior to v5.7.04 build 6425\u00a0contain a vulnerability within the SNMP management tool\u00a0that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the \u2018data\u2019 parameter to the \u2018NetworkServlet\u2019 endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-15T23:59:29.701Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"release-notes",
"patch"
],
"url": "https://www.advantech.tw/support/details/firmware?id=1-HIPU-183"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.exodusintel.com/2022/03/01/advantech-iview-page_action_service-parameter-sql-injection-remote-code-execution-vulnerability/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/advantech-iview-data-parameter-sqli-information-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2022-03-01T17:00:00.000Z",
"value": "Exodus Intelligence publicly discloses technical details of vulnerability."
},
{
"lang": "en",
"time": "2022-01-27T17:00:00.000Z",
"value": "Advantech releases patched version - 5.7.04 build 6425."
}
],
"title": "Advantech iView \u003c v5.7.04 Build 6425 data Parameter SQL Injection Information Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2022-50594",
"datePublished": "2025-11-06T19:57:00.425Z",
"dateReserved": "2025-11-05T16:58:35.657Z",
"dateUpdated": "2025-11-15T23:59:29.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53509 (GCVE-0-2025-53509)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:29 – Updated: 2025-07-11 13:29
VLAI?
Title
Advantech iView Argument Injection
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in the NetworkServlet.restoreDatabase(). This issue requires
an authenticated attacker with at least user-level privileges. An input
parameter can be used directly in a command without proper sanitization,
allowing arbitrary arguments to be injected. This can result in
information disclosure, including sensitive database credentials.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:30.324999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:37.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
}
],
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in the NetworkServlet.restoreDatabase(). This issue requires \nan authenticated attacker with at least user-level privileges. An input \nparameter can be used directly in a command without proper sanitization,\n allowing arbitrary arguments to be injected. This can result in \ninformation disclosure, including sensitive database credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:29:10.103Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Argument Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53509",
"datePublished": "2025-07-10T23:29:10.103Z",
"dateReserved": "2025-07-02T15:12:58.651Z",
"dateUpdated": "2025-07-11T13:29:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52459 (GCVE-0-2025-52459)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:28 – Updated: 2025-07-11 13:29
VLAI?
Title
Advantech iView Argument Injection
Summary
A vulnerability exists in Advantech iView that allows for argument
injection in NetworkServlet.backupDatabase(). This issue requires an
authenticated attacker with at least user-level privileges. Certain
parameters can be used directly in a command without proper
sanitization, allowing arbitrary arguments to be injected. This can
result in information disclosure, including sensitive database
credentials.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:29:50.282666Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:29:56.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in NetworkServlet.backupDatabase(). This issue requires an \nauthenticated attacker with at least user-level privileges. Certain \nparameters can be used directly in a command without proper \nsanitization, allowing arbitrary arguments to be injected. This can \nresult in information disclosure, including sensitive database \ncredentials."
}
],
"value": "A vulnerability exists in Advantech iView that allows for argument \ninjection in NetworkServlet.backupDatabase(). This issue requires an \nauthenticated attacker with at least user-level privileges. Certain \nparameters can be used directly in a command without proper \nsanitization, allowing arbitrary arguments to be injected. This can \nresult in information disclosure, including sensitive database \ncredentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:28:08.679Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView Argument Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-52459",
"datePublished": "2025-07-10T23:28:08.679Z",
"dateReserved": "2025-07-02T15:12:58.643Z",
"dateUpdated": "2025-07-11T13:29:56.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53515 (GCVE-0-2025-53515)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:25 – Updated: 2025-07-11 13:57
VLAI?
Title
Advantech iView SQL Injection
Summary
A vulnerability exists in Advantech iView that allows for SQL injection
and remote code execution through NetworkServlet.archiveTrap(). This
issue requires an authenticated attacker with at least user-level
privileges. Certain input parameters are not sanitized, allowing an
attacker to perform SQL injection and potentially execute code in the
context of the 'nt authority\local service' account.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53515",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:57:29.867588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:57:41.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that allows for SQL injection \nand remote code execution through NetworkServlet.archiveTrap(). This \nissue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not sanitized, allowing an \nattacker to perform SQL injection and potentially execute code in the \ncontext of the \u0027nt authority\\local service\u0027 account."
}
],
"value": "A vulnerability exists in Advantech iView that allows for SQL injection \nand remote code execution through NetworkServlet.archiveTrap(). This \nissue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not sanitized, allowing an \nattacker to perform SQL injection and potentially execute code in the \ncontext of the \u0027nt authority\\local service\u0027 account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:25:51.561Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53515",
"datePublished": "2025-07-10T23:25:51.561Z",
"dateReserved": "2025-07-02T15:12:58.638Z",
"dateUpdated": "2025-07-11T13:57:41.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52577 (GCVE-0-2025-52577)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:24 – Updated: 2025-07-11 13:39
VLAI?
Title
Advantech iView SQL Injection
Summary
A vulnerability exists in Advantech iView that could allow SQL injection
and remote code execution through NetworkServlet.archiveTrapRange().
This issue requires an authenticated attacker with at least user-level
privileges. Certain input parameters are not properly sanitized,
allowing an attacker to perform SQL injection and potentially execute
code in the context of the 'nt authority\local service' account.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:38:17.239954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:39:11.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that could allow SQL injection\n and remote code execution through NetworkServlet.archiveTrapRange(). \nThis issue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not properly sanitized, \nallowing an attacker to perform SQL injection and potentially execute \ncode in the context of the \u0027nt authority\\local service\u0027 account."
}
],
"value": "A vulnerability exists in Advantech iView that could allow SQL injection\n and remote code execution through NetworkServlet.archiveTrapRange(). \nThis issue requires an authenticated attacker with at least user-level \nprivileges. Certain input parameters are not properly sanitized, \nallowing an attacker to perform SQL injection and potentially execute \ncode in the context of the \u0027nt authority\\local service\u0027 account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:24:42.965Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-52577",
"datePublished": "2025-07-10T23:24:42.965Z",
"dateReserved": "2025-07-02T15:12:58.630Z",
"dateUpdated": "2025-07-11T13:39:11.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53475 (GCVE-0-2025-53475)
Vulnerability from cvelistv5 – Published: 2025-07-10 23:23 – Updated: 2025-07-11 13:39
VLAI?
Title
Advantech iView SQL Injection
Summary
A vulnerability exists in Advantech iView that could allow for SQL
injection and remote code execution through
NetworkServlet.getNextTrapPage(). This issue requires an authenticated
attacker with at least user-level privileges. Certain parameters in this
function are not properly sanitized, allowing an attacker to perform
SQL injection and potentially execute code in the context of the 'nt
authority\local service' account.
Severity ?
CWE
Assigner
References
Credits
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-11T13:38:26.738460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T13:39:39.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "iView",
"vendor": "Advantech",
"versions": [
{
"lessThan": "5.7.05 build 7057",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability exists in Advantech iView that could allow for SQL \ninjection and remote code execution through \nNetworkServlet.getNextTrapPage(). This issue requires an authenticated \nattacker with at least user-level privileges. Certain parameters in this\n function are not properly sanitized, allowing an attacker to perform \nSQL injection and potentially execute code in the context of the \u0027nt \nauthority\\local service\u0027 account."
}
],
"value": "A vulnerability exists in Advantech iView that could allow for SQL \ninjection and remote code execution through \nNetworkServlet.getNextTrapPage(). This issue requires an authenticated \nattacker with at least user-level privileges. Certain parameters in this\n function are not properly sanitized, allowing an attacker to perform \nSQL injection and potentially execute code in the context of the \u0027nt \nauthority\\local service\u0027 account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-10T23:23:38.421Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-191-08"
},
{
"url": "https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech recommends users update to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/firmware-?id=1-HIPU-183\"\u003ev5.7.05 build 7057\u003c/a\u003e.\n\n\u003cbr\u003e"
}
],
"value": "Advantech recommends users update to v5.7.05 build 7057 https://www.advantech.com/en/support/details/firmware- ."
}
],
"source": {
"advisory": "ICSA-25-191-08",
"discovery": "EXTERNAL"
},
"title": "Advantech iView SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-53475",
"datePublished": "2025-07-10T23:23:38.421Z",
"dateReserved": "2025-07-02T15:12:58.621Z",
"dateUpdated": "2025-07-11T13:39:39.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}