Details of VAR-202007-0395

ID

VAR-202007-0395

CVE

CVE-2020-14497

TITLE

Advantech iView NetworkServlet SQL Injection Information Disclosure Vulnerability

Trust: 1.4

sources: ZDI: ZDI-20-848 // ZDI: ZDI-20-830

DESCRIPTION

Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet servlet. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Advantech iView is a device management application provided by Advantech

Trust: 12.15

sources: NVD: CVE-2020-14497 // ZDI: ZDI-20-848 // ZDI: ZDI-20-850 // ZDI: ZDI-20-855 // ZDI: ZDI-20-839 // ZDI: ZDI-20-851 // ZDI: ZDI-20-852 // ZDI: ZDI-20-856 // ZDI: ZDI-20-830 // ZDI: ZDI-20-860 // ZDI: ZDI-20-846 // ZDI: ZDI-20-835 // ZDI: ZDI-20-828 // ZDI: ZDI-20-868 // ZDI: ZDI-20-843 // ZDI: ZDI-20-862 // ZDI: ZDI-20-869 // ZDI: ZDI-20-842 // CNVD: CNVD-2020-42953

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-42953

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 11.9
vendor:	advantech	model:	iview	scope:	lte	version:	5.6	Trust: 1.0
vendor:	advantech	model:	iview	scope:	lte	version:	<=5.6	Trust: 0.6

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-835 // ZDI: ZDI-20-846 // ZDI: ZDI-20-842 // ZDI: ZDI-20-830 // ZDI: ZDI-20-856 // ZDI: ZDI-20-852 // ZDI: ZDI-20-851 // ZDI: ZDI-20-839 // ZDI: ZDI-20-855 // ZDI: ZDI-20-850 // CNVD: CNVD-2020-42953 // NVD: CVE-2020-14497

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2020-14497
value:	HIGH
Trust: 7.0
ZDI:	CVE-2020-14497
value:	CRITICAL
Trust: 4.9
nvd@nist.gov:	CVE-2020-14497
value:	CRITICAL
Trust: 1.0
CNVD:	CNVD-2020-42953
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-14497
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2020-42953
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ZDI:	CVE-2020-14497
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 7.0
ZDI:	CVE-2020-14497
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 4.9
nvd@nist.gov:	CVE-2020-14497
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.0

sources: NVD: CVE-2020-14497

PATCH

title:	Advantech has issued an update to correct this vulnerability.	url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33	Trust: 11.9
title:	Patch for Advantech iView SQL injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/227467	Trust: 0.6

EXTERNAL IDS

db:	NVD	id:	CVE-2020-14497	Trust: 13.5
db:	ZDI	id:	ZDI-20-860	Trust: 1.7
db:	ZDI	id:	ZDI-20-848	Trust: 1.7
db:	ZDI	id:	ZDI-20-869	Trust: 1.7
db:	ZDI	id:	ZDI-20-862	Trust: 1.7
db:	ZDI	id:	ZDI-20-843	Trust: 1.7
db:	ZDI	id:	ZDI-20-868	Trust: 1.7
db:	ZDI	id:	ZDI-20-828	Trust: 1.7
db:	ZDI	id:	ZDI-20-835	Trust: 1.7
db:	ZDI	id:	ZDI-20-846	Trust: 1.7
db:	ZDI	id:	ZDI-20-842	Trust: 1.7
db:	ZDI	id:	ZDI-20-830	Trust: 1.7
db:	ZDI	id:	ZDI-20-856	Trust: 1.7
db:	ZDI	id:	ZDI-20-852	Trust: 1.7
db:	ZDI	id:	ZDI-20-851	Trust: 1.7
db:	ZDI	id:	ZDI-20-839	Trust: 1.7
db:	ZDI	id:	ZDI-20-855	Trust: 1.7
db:	ZDI	id:	ZDI-20-850	Trust: 1.7
db:	ZDI	id:	ZDI-20-861	Trust: 1.0
db:	ZDI	id:	ZDI-20-833	Trust: 1.0
db:	ZDI	id:	ZDI-20-853	Trust: 1.0
db:	ZDI	id:	ZDI-20-845	Trust: 1.0
db:	ZDI	id:	ZDI-20-827	Trust: 1.0
db:	ZDI	id:	ZDI-20-844	Trust: 1.0
db:	ZDI	id:	ZDI-20-864	Trust: 1.0
db:	ZDI	id:	ZDI-20-854	Trust: 1.0
db:	ZDI	id:	ZDI-20-837	Trust: 1.0
db:	ZDI	id:	ZDI-20-838	Trust: 1.0
db:	ZDI	id:	ZDI-20-863	Trust: 1.0
db:	ZDI	id:	ZDI-20-836	Trust: 1.0
db:	ZDI	id:	ZDI-20-832	Trust: 1.0
db:	ZDI	id:	ZDI-20-849	Trust: 1.0
db:	ZDI	id:	ZDI-20-847	Trust: 1.0
db:	ZDI	id:	ZDI-20-857	Trust: 1.0
db:	ZDI	id:	ZDI-20-858	Trust: 1.0
db:	ZDI	id:	ZDI-20-866	Trust: 1.0
db:	ZDI	id:	ZDI-20-865	Trust: 1.0
db:	ICS CERT	id:	ICSA-20-196-01	Trust: 1.0
db:	ZDI_CAN	id:	ZDI-CAN-10700	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10631	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10716	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10703	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10626	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10707	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10635	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10655	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10629	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10625	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10637	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10672	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10668	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10661	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10621	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10671	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10660	Trust: 0.7
db:	CNVD	id:	CNVD-2020-42953	Trust: 0.6

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33	Trust: 11.9
url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-827/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-828/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-830/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-832/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-833/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-835/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-836/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-837/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-838/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-839/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-842/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-843/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-844/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-845/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-846/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-847/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-848/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-849/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-850/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-851/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-852/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-853/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-854/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-855/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-856/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-857/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-858/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-860/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-861/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-862/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-863/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-864/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-865/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-866/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-868/	Trust: 1.0
url:	https://www.zerodayinitiative.com/advisories/zdi-20-869/	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14497	Trust: 0.6

CREDITS

rgod

Trust: 11.9

SOURCES

db:	ZDI	id:	ZDI-20-860
db:	ZDI	id:	ZDI-20-848
db:	ZDI	id:	ZDI-20-869
db:	ZDI	id:	ZDI-20-862
db:	ZDI	id:	ZDI-20-843
db:	ZDI	id:	ZDI-20-868
db:	ZDI	id:	ZDI-20-828
db:	ZDI	id:	ZDI-20-835
db:	ZDI	id:	ZDI-20-846
db:	ZDI	id:	ZDI-20-842
db:	ZDI	id:	ZDI-20-830
db:	ZDI	id:	ZDI-20-856
db:	ZDI	id:	ZDI-20-852
db:	ZDI	id:	ZDI-20-851
db:	ZDI	id:	ZDI-20-839
db:	ZDI	id:	ZDI-20-855
db:	ZDI	id:	ZDI-20-850
db:	CNVD	id:	CNVD-2020-42953
db:	NVD	id:	CVE-2020-14497

LAST UPDATE DATE

2024-09-14T22:44:00.217000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-20-860	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-848	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-869	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-862	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-843	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-868	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-828	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-835	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-846	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-842	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-830	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-856	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-852	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-851	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-839	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-855	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-850	date:	2020-07-16T00:00:00
db:	CNVD	id:	CNVD-2020-42953	date:	2020-07-29T00:00:00
db:	NVD	id:	CVE-2020-14497	date:	2020-07-21T20:34:07.950

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-20-860	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-848	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-869	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-862	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-843	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-868	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-828	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-835	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-846	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-842	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-830	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-856	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-852	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-851	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-839	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-855	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-850	date:	2020-07-16T00:00:00
db:	CNVD	id:	CNVD-2020-42953	date:	2020-07-29T00:00:00
db:	NVD	id:	CVE-2020-14497	date:	2020-07-15T02:15:12.547