Main Vulnerability Database Vulnerabilities #VU4565

SQL injection in Advantech WebAccess - CVE-2017-5154

Published: January 12, 2017 / Updated: January 13, 2017

Vulnerability identifier: #VU4565

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-5154

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Advantech Co., Ltd

Affected software:
Advantech WebAccess

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed to updateTemplate.aspx script in Advantech WebAccess. A remote authenticated attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

Note: authentication is required to exploit this vulnerability, however another vulnerability, described in this advisory, can be used to bypass authentication process.

How to mitigate CVE-2017-5154

Install the latest version 8.2 from vendor's website:
http://www.advantech.com/industrial-automation/webaccess

SQL injection in Advantech WebAccess - CVE-2017-5154

Detailed vulnerability description

How to mitigate CVE-2017-5154

Sources

Please verify you're human