Main Vulnerability Database Vulnerabilities #VU4565

#VU4565 SQL injection in Advantech WebAccess - CVE-2017-5154

Published: January 12, 2017 / Updated: January 13, 2017

Vulnerability identifier: #VU4565

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-5154

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Advantech WebAccess

Software vendor:
Advantech Co., Ltd

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed to updateTemplate.aspx script in Advantech WebAccess. A remote authenticated attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

Note: authentication is required to exploit this vulnerability, however another vulnerability, described in this advisory, can be used to bypass authentication process.

Remediation

Install the latest version 8.2 from vendor's website:
http://www.advantech.com/industrial-automation/webaccess

#VU4565 SQL injection in Advantech WebAccess - CVE-2017-5154

Description

Remediation

External links

Please verify you're human