Details of VAR-202007-0395

ID

VAR-202007-0395

CVE

CVE-2020-14497

TITLE

Advantech iView In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-008131

DESCRIPTION

Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code. Advantech iView Has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put in a state. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of calls to the setConfigurationItem method of the ConfigurationTable class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise

Trust: 11.79

sources: NVD: CVE-2020-14497 // JVNDB: JVNDB-2020-008131 // ZDI: ZDI-20-848 // ZDI: ZDI-20-853 // ZDI: ZDI-20-827 // ZDI: ZDI-20-837 // ZDI: ZDI-20-839 // ZDI: ZDI-20-849 // ZDI: ZDI-20-858 // ZDI: ZDI-20-860 // ZDI: ZDI-20-838 // ZDI: ZDI-20-836 // ZDI: ZDI-20-828 // ZDI: ZDI-20-868 // ZDI: ZDI-20-843 // ZDI: ZDI-20-862 // ZDI: ZDI-20-869 // ZDI: ZDI-20-857 // VULHUB: VHN-167381

AFFECTED PRODUCTS

vendor:	advantech	model:	iview	scope:	-	version:	-	Trust: 11.2
vendor:	advantech	model:	iview	scope:	lte	version:	5.6	Trust: 1.0
vendor:	アドバンテック株式会社	model:	iview	scope:	eq	version:	-	Trust: 0.8
vendor:	アドバンテック株式会社	model:	iview	scope:	lte	version:	5.6	Trust: 0.8

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-836 // ZDI: ZDI-20-838 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // ZDI: ZDI-20-853 // JVNDB: JVNDB-2020-008131 // NVD: CVE-2020-14497

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2020-14497
value:	CRITICAL
Trust: 6.3
ZDI:	CVE-2020-14497
value:	HIGH
Trust: 4.9
nvd@nist.gov:	CVE-2020-14497
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-14497
value:	CRITICAL
Trust: 0.8
VULHUB:	VHN-167381
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-14497
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-167381
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ZDI:	CVE-2020-14497
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 6.3
ZDI:	CVE-2020-14497
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 4.9
nvd@nist.gov:	CVE-2020-14497
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-14497
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-836 // ZDI: ZDI-20-838 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // ZDI: ZDI-20-853 // VULHUB: VHN-167381 // JVNDB: JVNDB-2020-008131 // NVD: CVE-2020-14497

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-167381 // JVNDB: JVNDB-2020-008131 // NVD: CVE-2020-14497

PATCH

title:	Advantech has issued an update to correct this vulnerability.	url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33	Trust: 11.2
title:	Top Page	url:	https://www.advantech.co.jp/	Trust: 0.8

EXTERNAL IDS

db:	NVD	id:	CVE-2020-14497	Trust: 13.1
db:	ICS CERT	id:	ICSA-20-196-01	Trust: 1.9
db:	ZDI	id:	ZDI-20-860	Trust: 1.8
db:	ZDI	id:	ZDI-20-848	Trust: 1.8
db:	ZDI	id:	ZDI-20-869	Trust: 1.8
db:	ZDI	id:	ZDI-20-862	Trust: 1.8
db:	ZDI	id:	ZDI-20-843	Trust: 1.8
db:	ZDI	id:	ZDI-20-868	Trust: 1.8
db:	ZDI	id:	ZDI-20-828	Trust: 1.8
db:	ZDI	id:	ZDI-20-836	Trust: 1.8
db:	ZDI	id:	ZDI-20-838	Trust: 1.8
db:	ZDI	id:	ZDI-20-857	Trust: 1.8
db:	ZDI	id:	ZDI-20-858	Trust: 1.8
db:	ZDI	id:	ZDI-20-849	Trust: 1.8
db:	ZDI	id:	ZDI-20-839	Trust: 1.8
db:	ZDI	id:	ZDI-20-837	Trust: 1.8
db:	ZDI	id:	ZDI-20-827	Trust: 1.8
db:	ZDI	id:	ZDI-20-853	Trust: 1.8
db:	ZDI	id:	ZDI-20-844	Trust: 1.1
db:	ZDI	id:	ZDI-20-830	Trust: 1.1
db:	ZDI	id:	ZDI-20-864	Trust: 1.1
db:	ZDI	id:	ZDI-20-847	Trust: 1.1
db:	ZDI	id:	ZDI-20-863	Trust: 1.1
db:	ZDI	id:	ZDI-20-855	Trust: 1.1
db:	ZDI	id:	ZDI-20-846	Trust: 1.1
db:	ZDI	id:	ZDI-20-866	Trust: 1.1
db:	ZDI	id:	ZDI-20-842	Trust: 1.1
db:	ZDI	id:	ZDI-20-854	Trust: 1.1
db:	ZDI	id:	ZDI-20-832	Trust: 1.1
db:	ZDI	id:	ZDI-20-835	Trust: 1.1
db:	ZDI	id:	ZDI-20-850	Trust: 1.1
db:	ZDI	id:	ZDI-20-845	Trust: 1.1
db:	ZDI	id:	ZDI-20-856	Trust: 1.1
db:	ZDI	id:	ZDI-20-861	Trust: 1.1
db:	ZDI	id:	ZDI-20-833	Trust: 1.1
db:	ZDI	id:	ZDI-20-852	Trust: 1.1
db:	ZDI	id:	ZDI-20-851	Trust: 1.1
db:	ZDI	id:	ZDI-20-865	Trust: 1.1
db:	JVN	id:	JVNVU95694616	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-008131	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-10700	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10631	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10716	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10703	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10626	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10707	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10635	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10656	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10658	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10970	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10673	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10659	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10621	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10657	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10634	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-10669	Trust: 0.7
db:	CNNVD	id:	CNNVD-202007-968	Trust: 0.1
db:	VULHUB	id:	VHN-167381	Trust: 0.1

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-836 // ZDI: ZDI-20-838 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // ZDI: ZDI-20-853 // VULHUB: VHN-167381 // JVNDB: JVNDB-2020-008131 // NVD: CVE-2020-14497

REFERENCES

url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33	Trust: 11.2
url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-196-01	Trust: 1.9
url:	https://www.zerodayinitiative.com/advisories/zdi-20-827/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-828/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-830/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-832/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-833/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-835/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-836/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-837/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-838/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-839/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-842/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-843/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-844/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-845/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-846/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-847/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-848/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-849/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-850/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-851/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-852/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-853/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-854/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-855/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-856/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-857/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-858/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-860/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-861/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-862/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-863/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-864/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-865/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-866/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-868/	Trust: 1.1
url:	https://www.zerodayinitiative.com/advisories/zdi-20-869/	Trust: 1.1
url:	https://jvn.jp/vu/jvnvu95694616/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-14497	Trust: 0.8

sources: ZDI: ZDI-20-860 // ZDI: ZDI-20-848 // ZDI: ZDI-20-869 // ZDI: ZDI-20-862 // ZDI: ZDI-20-843 // ZDI: ZDI-20-868 // ZDI: ZDI-20-828 // ZDI: ZDI-20-836 // ZDI: ZDI-20-838 // ZDI: ZDI-20-857 // ZDI: ZDI-20-858 // ZDI: ZDI-20-849 // ZDI: ZDI-20-839 // ZDI: ZDI-20-837 // ZDI: ZDI-20-827 // ZDI: ZDI-20-853 // VULHUB: VHN-167381 // JVNDB: JVNDB-2020-008131 // NVD: CVE-2020-14497

CREDITS

rgod

Trust: 11.2

SOURCES

db:	ZDI	id:	ZDI-20-860
db:	ZDI	id:	ZDI-20-848
db:	ZDI	id:	ZDI-20-869
db:	ZDI	id:	ZDI-20-862
db:	ZDI	id:	ZDI-20-843
db:	ZDI	id:	ZDI-20-868
db:	ZDI	id:	ZDI-20-828
db:	ZDI	id:	ZDI-20-836
db:	ZDI	id:	ZDI-20-838
db:	ZDI	id:	ZDI-20-857
db:	ZDI	id:	ZDI-20-858
db:	ZDI	id:	ZDI-20-849
db:	ZDI	id:	ZDI-20-839
db:	ZDI	id:	ZDI-20-837
db:	ZDI	id:	ZDI-20-827
db:	ZDI	id:	ZDI-20-853
db:	VULHUB	id:	VHN-167381
db:	JVNDB	id:	JVNDB-2020-008131
db:	NVD	id:	CVE-2020-14497

LAST UPDATE DATE

2025-02-20T22:34:09.384000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-20-860	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-848	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-869	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-862	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-843	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-868	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-828	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-836	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-838	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-857	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-858	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-849	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-839	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-837	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-827	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-853	date:	2020-07-16T00:00:00
db:	VULHUB	id:	VHN-167381	date:	2020-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-008131	date:	2020-09-03T00:00:00
db:	NVD	id:	CVE-2020-14497	date:	2024-11-21T05:03:23.890

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-20-860	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-848	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-869	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-862	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-843	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-868	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-828	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-836	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-838	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-857	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-858	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-849	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-839	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-837	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-827	date:	2020-07-16T00:00:00
db:	ZDI	id:	ZDI-20-853	date:	2020-07-16T00:00:00
db:	VULHUB	id:	VHN-167381	date:	2020-07-15T00:00:00
db:	JVNDB	id:	JVNDB-2020-008131	date:	2020-09-03T00:00:00
db:	NVD	id:	CVE-2020-14497	date:	2020-07-15T02:15:12.547