Sign-up

ID

VAR-202007-0395


CVE

CVE-2020-14497


TITLE

Advantech iView User checkForDuplicateUserName SQL Injection Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-20-860

DESCRIPTION

Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet servlet. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Advantech iView is a device management application provided by Advantech

Trust: 12.24

sources: NVD: CVE-2020-14497 // ZDI: ZDI-20-838 // ZDI: ZDI-20-827 // ZDI: ZDI-20-837 // ZDI: ZDI-20-839 // ZDI: ZDI-20-849 // ZDI: ZDI-20-858 // ZDI: ZDI-20-857 // ZDI: ZDI-20-848 // ZDI: ZDI-20-860 // ZDI: ZDI-20-861 // ZDI: ZDI-20-833 // ZDI: ZDI-20-828 // ZDI: ZDI-20-868 // ZDI: ZDI-20-843 // ZDI: ZDI-20-862 // ZDI: ZDI-20-869 // ZDI: ZDI-20-851 // CNVD: CNVD-2020-42953 // VULHUB: VHN-167381

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-42953

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 11.9

vendor:advantechmodel:iviewscope:lteversion:5.6

Trust: 1.0

vendor:advantechmodel:iviewscope:lteversion:<=5.6

Trust: 0.6

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-833 // ZDI: ZDI-20-861 // ZDI: ZDI-20-838 // ZDI: ZDI-20-851 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // CNVD: CNVD-2020-42953 // NVD: CVE-2020-14497

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2020-14497
value: CRITICAL

Trust: 7.0

ZDI: CVE-2020-14497
value: HIGH

Trust: 4.9

nvd@nist.gov: CVE-2020-14497
value: CRITICAL

Trust: 1.0

CNVD: CNVD-2020-42953
value: HIGH

Trust: 0.6

VULHUB: VHN-167381
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-14497
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2020-42953
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-167381
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ZDI: CVE-2020-14497
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 7.0

ZDI: CVE-2020-14497
baseSeverity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 4.9

nvd@nist.gov: CVE-2020-14497
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-833 // ZDI: ZDI-20-861 // ZDI: ZDI-20-838 // ZDI: ZDI-20-851 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // CNVD: CNVD-2020-42953 // VULHUB: VHN-167381 // NVD: CVE-2020-14497

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

sources: VULHUB: VHN-167381 // NVD: CVE-2020-14497

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33

Trust: 11.9

title:Patch for Advantech iView SQL injection vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/227467

Trust: 0.6

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-833 // ZDI: ZDI-20-861 // ZDI: ZDI-20-838 // ZDI: ZDI-20-851 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // CNVD: CNVD-2020-42953

EXTERNAL IDS

db:NVDid:CVE-2020-14497

Trust: 13.6

db:ZDIid:ZDI-20-860

Trust: 1.8

db:ZDIid:ZDI-20-848

Trust: 1.8

db:ZDIid:ZDI-20-869

Trust: 1.8

db:ZDIid:ZDI-20-862

Trust: 1.8

db:ZDIid:ZDI-20-843

Trust: 1.8

db:ZDIid:ZDI-20-868

Trust: 1.8

db:ZDIid:ZDI-20-828

Trust: 1.8

db:ZDIid:ZDI-20-833

Trust: 1.8

db:ZDIid:ZDI-20-861

Trust: 1.8

db:ZDIid:ZDI-20-838

Trust: 1.8

db:ZDIid:ZDI-20-851

Trust: 1.8

db:ZDIid:ZDI-20-857

Trust: 1.8

db:ZDIid:ZDI-20-858

Trust: 1.8

db:ZDIid:ZDI-20-849

Trust: 1.8

db:ZDIid:ZDI-20-839

Trust: 1.8

db:ZDIid:ZDI-20-837

Trust: 1.8

db:ZDIid:ZDI-20-827

Trust: 1.8

db:ZDIid:ZDI-20-844

Trust: 1.1

db:ZDIid:ZDI-20-830

Trust: 1.1

db:ZDIid:ZDI-20-864

Trust: 1.1

db:ZDIid:ZDI-20-847

Trust: 1.1

db:ZDIid:ZDI-20-863

Trust: 1.1

db:ZDIid:ZDI-20-855

Trust: 1.1

db:ZDIid:ZDI-20-846

Trust: 1.1

db:ZDIid:ZDI-20-866

Trust: 1.1

db:ZDIid:ZDI-20-842

Trust: 1.1

db:ZDIid:ZDI-20-854

Trust: 1.1

db:ZDIid:ZDI-20-832

Trust: 1.1

db:ZDIid:ZDI-20-835

Trust: 1.1

db:ZDIid:ZDI-20-850

Trust: 1.1

db:ZDIid:ZDI-20-845

Trust: 1.1

db:ZDIid:ZDI-20-856

Trust: 1.1

db:ZDIid:ZDI-20-852

Trust: 1.1

db:ZDIid:ZDI-20-836

Trust: 1.1

db:ZDIid:ZDI-20-865

Trust: 1.1

db:ZDIid:ZDI-20-853

Trust: 1.1

db:ICS CERTid:ICSA-20-196-01

Trust: 1.1

db:ZDI_CANid:ZDI-CAN-10700

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10631

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10716

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10703

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10626

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10707

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10635

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10633

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10702

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10658

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10661

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10970

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10673

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10659

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10621

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10657

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-10634

Trust: 0.7

db:CNVDid:CNVD-2020-42953

Trust: 0.6

db:CNNVDid:CNNVD-202007-968

Trust: 0.1

db:VULHUBid:VHN-167381

Trust: 0.1

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-833 // ZDI: ZDI-20-861 // ZDI: ZDI-20-838 // ZDI: ZDI-20-851 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // CNVD: CNVD-2020-42953 // VULHUB: VHN-167381 // NVD: CVE-2020-14497

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33

Trust: 11.9

url:https://www.zerodayinitiative.com/advisories/zdi-20-827/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-828/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-830/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-832/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-833/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-835/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-836/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-837/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-838/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-839/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-842/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-843/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-844/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-845/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-846/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-847/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-848/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-849/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-850/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-851/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-852/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-853/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-854/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-855/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-856/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-857/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-858/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-860/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-861/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-862/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-863/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-864/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-865/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-866/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-868/

Trust: 1.1

url:https://www.zerodayinitiative.com/advisories/zdi-20-869/

Trust: 1.1

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01

Trust: 1.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-14497

Trust: 0.6

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-833 // ZDI: ZDI-20-861 // ZDI: ZDI-20-838 // ZDI: ZDI-20-851 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // CNVD: CNVD-2020-42953 // VULHUB: VHN-167381 // NVD: CVE-2020-14497

CREDITS

rgod

Trust: 11.9

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-833 // ZDI: ZDI-20-861 // ZDI: ZDI-20-838 // ZDI: ZDI-20-851 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827

SOURCES

db:ZDIid:ZDI-20-860
db:ZDIid:ZDI-20-848
db:ZDIid:ZDI-20-869
db:ZDIid:ZDI-20-862
db:ZDIid:ZDI-20-843
db:ZDIid:ZDI-20-868
db:ZDIid:ZDI-20-828
db:ZDIid:ZDI-20-833
db:ZDIid:ZDI-20-861
db:ZDIid:ZDI-20-838
db:ZDIid:ZDI-20-851
db:ZDIid:ZDI-20-857
db:ZDIid:ZDI-20-858
db:ZDIid:ZDI-20-849
db:ZDIid:ZDI-20-839
db:ZDIid:ZDI-20-837
db:ZDIid:ZDI-20-827
db:CNVDid:CNVD-2020-42953
db:VULHUBid:VHN-167381
db:NVDid:CVE-2020-14497

LAST UPDATE DATE

2024-11-20T22:37:44.639000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-20-860date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-848date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-869date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-862date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-843date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-868date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-828date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-833date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-861date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-838date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-851date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-857date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-858date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-849date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-839date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-837date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-827date:2020-07-16T00:00:00
db:CNVDid:CNVD-2020-42953date:2020-07-29T00:00:00
db:VULHUBid:VHN-167381date:2020-07-21T00:00:00
db:NVDid:CVE-2020-14497date:2020-07-21T20:34:07.950

SOURCES RELEASE DATE

db:ZDIid:ZDI-20-860date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-848date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-869date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-862date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-843date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-868date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-828date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-833date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-861date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-838date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-851date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-857date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-858date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-849date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-839date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-837date:2020-07-16T00:00:00
db:ZDIid:ZDI-20-827date:2020-07-16T00:00:00
db:CNVDid:CNVD-2020-42953date:2020-07-29T00:00:00
db:VULHUBid:VHN-167381date:2020-07-15T00:00:00
db:NVDid:CVE-2020-14497date:2020-07-15T02:15:12.547