Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-21927

Summary
Assigner-talos
Assigner Org ID-b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b
Published At-22 Dec, 2021 | 18:07
Updated At-03 Aug, 2024 | 18:30
Rejected At-
Credits

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘loc_filter’ parameter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:talos
Assigner Org ID:b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b
Published At:22 Dec, 2021 | 18:07
Updated At:03 Aug, 2024 | 18:30
Rejected At:
▼CVE Numbering Authority (CNA)

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘loc_filter’ parameter.

Affected Products
Vendor
n/a
Product
Advantech
Versions
Affected
  • Advantech R-SeeNet Advantech R-SeeNet 2.4.15 (30.07.2021)
Problem Types
TypeCWE IDDescription
CWECWE-89CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Type: CWE
CWE ID: CWE-89
Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Metrics
VersionBase scoreBase severityVector
3.07.7HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Version: 3.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1366
x_refsource_MISC
Hyperlink: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1366
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1366
x_refsource_MISC
x_transferred
Hyperlink: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1366
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:talos-cna@cisco.com
Published At:22 Dec, 2021 | 19:15
Updated At:22 Jul, 2022 | 13:22

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘loc_filter’ parameter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Secondary3.07.7HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary2.04.0MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.0
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CPE Matches
Advantech (Advantech Co., Ltd.)
advantech
>>r-seenet>>2.4.15
cpe:2.3:a:advantech:r-seenet:2.4.15:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarynvd@nist.gov
CWE-89Secondarytalos-cna@cisco.com
CWE ID: CWE-89
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-89
Type: Secondary
Source: talos-cna@cisco.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1366talos-cna@cisco.com
Exploit
Third Party Advisory
Hyperlink: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1366
Source: talos-cna@cisco.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

647Records found
CVE-2022-2136
Matching Score-10
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-10
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.8||HIGH
EPSS-0.19% / 40.01%
||
7 Day CHG~0.00%
Published-22 Jul, 2022 | 14:58
Updated-16 Apr, 2025 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech iView

The affected product is vulnerable to multiple SQL injections that require low privileges for exploitation and may allow an unauthorized attacker to disclose information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-iviewiView
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-10623
Matching Score-10
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-10
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 34.26%
||
7 Day CHG~0.00%
Published-09 Apr, 2020 | 13:03
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple vulnerabilities could allow an attacker with low privileges to perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/nmsWebAccess/NMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2019-18229
Matching Score-10
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-10
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.5||MEDIUM
EPSS-0.65% / 70.94%
||
7 Day CHG~0.00%
Published-31 Oct, 2019 | 21:05
Updated-05 Aug, 2024 | 01:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-wise-paas\/rmmAdvantech WISE-PaaS/RMM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-34242
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-8.6||HIGH
EPSS-0.03% / 7.50%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:46
Updated-28 Nov, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxNetworkController.ajaxAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-34241
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.50%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:45
Updated-28 Nov, 2025 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxDeviceController.ajaxDeviceAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-34245
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.50%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:48
Updated-28 Nov, 2025 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxStandaloneVpnClientsController.ajaxAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-34240
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-8.6||HIGH
EPSS-0.03% / 7.50%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:45
Updated-28 Nov, 2025 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AppManagementController.appUpgradeAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21934
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘imei_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21921
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.34% / 80.09%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘name_filter’ parameter with the administrative account or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21918
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.34% / 80.09%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘name_filter’ parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21937
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21936
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.25% / 79.42%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘health_alt_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21920
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.34% / 80.09%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘surname_filter’ parameter with the administrative account or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21928
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at ‘mac_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21933
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘esn_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21929
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at ‘prod_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21916
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.25% / 79.42%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at 'description_filter’ parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21923
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.34% / 80.09%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘company_filter’ parameter with the administrative account or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21926
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘health_filter’ parameter.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21931
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at‘ stat_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21932
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘name_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21919
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.34% / 80.09%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ord’ parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21924
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.40% / 80.52%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘desc_filter’ parameter.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21917
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.25% / 79.42%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at '‘ord’ parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21935
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter2’ parameter. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21930
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at ‘sn_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21922
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘username_filter’ parameter with the administrative account or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21915
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.25% / 79.42%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:06
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at ‘company_filter’ parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-21925
Matching Score-10
Assigner-Talos
ShareView Details
Matching Score-10
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-1.19% / 78.96%
||
7 Day CHG~0.00%
Published-22 Dec, 2021 | 18:07
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘firm_filter’ parameter.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-r-seenetAdvantech
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-34243
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.50%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:47
Updated-28 Nov, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxFwRulesController.ajaxNetworkFwRulesAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-34247
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-0.03% / 8.55%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:49
Updated-28 Nov, 2025 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 SQL Injection via NetworksController.addNetworkAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in NetworksController.addNetworkAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-34246
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.70%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:49
Updated-28 Nov, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxPrevalidationController.ajaxAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxPrevalidationController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-34244
Matching Score-10
Assigner-VulnCheck
ShareView Details
Matching Score-10
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.50%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:47
Updated-28 Nov, 2025 | 16:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxFwRulesController.ajaxDeviceFwRulesAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-2139
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.5||MEDIUM
EPSS-0.38% / 59.67%
||
7 Day CHG~0.00%
Published-22 Jul, 2022 | 14:58
Updated-16 Apr, 2025 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech iView

The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-iviewiView
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-13550
Matching Score-8
Assigner-Talos
ShareView Details
Matching Score-8
Assigner-Talos
CVSS Score-7.7||HIGH
EPSS-0.26% / 49.81%
||
7 Day CHG~0.00%
Published-17 Feb, 2021 | 18:10
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1. A specially crafted application can lead to information disclosure. An attacker can send an authenticated HTTP request to trigger this vulnerability.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaAdvantech
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2016-5810
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-4.9||MEDIUM
EPSS-25.40% / 96.24%
||
7 Day CHG~0.00%
Published-02 May, 2017 | 14:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

upAdminPg.asp in Advantech WebAccess before 8.1_20160519 allows remote authenticated administrators to obtain sensitive password information via unspecified vectors.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccessn/a
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2021-38431
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 32.26%
||
7 Day CHG~0.00%
Published-15 Oct, 2021 | 12:29
Updated-16 Sep, 2024 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess SCADA

An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess_scadaWebAccess SCADA
CWE ID-CWE-862
Missing Authorization
CVE-2021-32954
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.03%
||
7 Day CHG~0.00%
Published-18 Jun, 2021 | 13:53
Updated-03 Aug, 2024 | 23:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaAdvantech WebAccess/SCADA
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-34238
Matching Score-8
Assigner-VulnCheck
ShareView Details
Matching Score-8
Assigner-VulnCheck
CVSS Score-6.9||MEDIUM
EPSS-0.07% / 20.30%
||
7 Day CHG~0.00%
Published-06 Nov, 2025 | 19:43
Updated-04 Dec, 2025 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess/VPN < 1.1.5 Path Traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction()

Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction() that allows an authenticated network administrator to cause the application to read and return the contents of arbitrary files the web user (www-data) can access.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/vpnWebAccess/VPN
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-22674
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.5||MEDIUM
EPSS-0.31% / 54.30%
||
7 Day CHG~0.00%
Published-10 Aug, 2021 | 14:00
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The affected product is vulnerable to a relative path traversal condition, which may allow an attacker access to unauthorized files and directories on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaWebAccess/SCADA
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2014-2366
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9||MEDIUM
EPSS-0.18% / 39.56%
||
7 Day CHG~0.00%
Published-19 Jul, 2014 | 01:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech WebAccess Cleartext Storage of Sensitive Information in Memory

upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-advantech_webaccessWebAccess
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-316
Cleartext Storage of Sensitive Information in Memory
CVE-2025-53509
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-8
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.1||HIGH
EPSS-0.15% / 34.47%
||
7 Day CHG+0.06%
Published-10 Jul, 2025 | 23:29
Updated-01 Aug, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech iView Argument Injection

A vulnerability exists in Advantech iView that allows for argument injection in the NetworkServlet.restoreDatabase(). This issue requires an authenticated attacker with at least user-level privileges. An input parameter can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-iviewiView
CWE ID-CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2018-7501
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.07%
||
7 Day CHG~0.00%
Published-15 May, 2018 | 22:00
Updated-16 Sep, 2024 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-webaccess\/nmswebaccess_dashboardwebaccesswebaccess_scadaWebAccess
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2018-5443
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 32.76%
||
7 Day CHG~0.00%
Published-25 Jan, 2018 | 03:00
Updated-05 Aug, 2024 | 05:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL Injection issue was discovered in Advantech WebAccess/SCADA versions prior to V8.2_20170817. WebAccess/SCADA does not properly sanitize its inputs for SQL commands.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccess\/scadaAdvantech WebAccess/SCADA
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-52335
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-0.43% / 62.65%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 20:05
Updated-09 Jan, 2025 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability

Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-iviewiViewiview
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-3323
Matching Score-6
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-6
Assigner-Tenable Network Security, Inc.
CVSS Score-7.5||HIGH
EPSS-0.81% / 74.33%
||
7 Day CHG~0.00%
Published-27 Sep, 2022 | 13:51
Updated-21 May, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-iviewAdvantech iView
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-2135
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.29%
||
7 Day CHG~0.00%
Published-22 Jul, 2022 | 14:58
Updated-16 Apr, 2025 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advantech iView

The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information.

Action-Not Available
Vendor-Advantech (Advantech Co., Ltd.)
Product-iviewiView
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2017-5154
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.60% / 69.56%
||
7 Day CHG~0.00%
Published-13 Feb, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Advantech WebAccess Version 8.1. To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack could result in administrative access to the application and its data files.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccessAdvantech WebAccess 8.1
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2017-16716
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-2.85% / 86.30%
||
7 Day CHG~0.00%
Published-05 Jan, 2018 | 08:00
Updated-05 Aug, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccessAdvantech WebAccess
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2017-12710
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-6
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.50% / 65.81%
||
7 Day CHG~0.00%
Published-30 Aug, 2017 | 18:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A SQL Injection issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. By submitting a specially crafted parameter, it is possible to inject arbitrary SQL statements that could allow an attacker to obtain sensitive information.

Action-Not Available
Vendor-n/aAdvantech (Advantech Co., Ltd.)
Product-webaccessAdvantech WebAccess
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 12
  • 13
  • Next
Details not found