Sign-up

ID

VAR-202106-1187


CVE

CVE-2021-32932


TITLE

Advantech  Made  iView  Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-001742

DESCRIPTION

The affected product is vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information on the iView (versions prior to v5.7.03.6182). Advantech Provided by iView Is SNMP Base device management software. iView The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-32930 ‥ * SQL injection (CWE-89) - CVE-2021-32932The expected impact depends on each vulnerability, but it may be affected as follows. * A remote third party could change the system configuration or execute arbitrary code. - CVE-2021-32930 ‥ * Information in the system is stolen by a remote third party - CVE-2021-32932. Authentication is not required to exploit this vulnerability.The specific flaw exists within the getNextTrapPage action of NetworkServlet, which listens on TCP port 8080 by default. When parsing the search_description element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of the service account. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 7.29

sources: NVD: CVE-2021-32932 // JVNDB: JVNDB-2021-001742 // ZDI: ZDI-21-656 // ZDI: ZDI-21-655 // ZDI: ZDI-21-654 // ZDI: ZDI-21-653 // ZDI: ZDI-21-652 // ZDI: ZDI-21-651 // ZDI: ZDI-21-650 // ZDI: ZDI-21-649 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-392918

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 5.6

vendor:advantechmodel:iviewscope:ltversion:5.7.03.6182

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:ltversion:5.7.03.6182 earlier s

Trust: 0.8

sources: ZDI: ZDI-21-656 // ZDI: ZDI-21-655 // ZDI: ZDI-21-654 // ZDI: ZDI-21-653 // ZDI: ZDI-21-652 // ZDI: ZDI-21-651 // ZDI: ZDI-21-650 // ZDI: ZDI-21-649 // JVNDB: JVNDB-2021-001742 // NVD: CVE-2021-32932

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2021-32932
value: HIGH

Trust: 5.6

nvd@nist.gov: CVE-2021-32932
value: HIGH

Trust: 1.0

IPA: JVNDB-2021-001742
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202106-250
value: HIGH

Trust: 0.6

VULHUB: VHN-392918
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-32932
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-392918
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

ZDI: CVE-2021-32932
baseSeverity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 5.6

nvd@nist.gov: CVE-2021-32932
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

IPA: JVNDB-2021-001742
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: ZDI: ZDI-21-656 // ZDI: ZDI-21-655 // ZDI: ZDI-21-654 // ZDI: ZDI-21-653 // ZDI: ZDI-21-652 // ZDI: ZDI-21-651 // ZDI: ZDI-21-650 // ZDI: ZDI-21-649 // VULHUB: VHN-392918 // JVNDB: JVNDB-2021-001742 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-250 // NVD: CVE-2021-32932

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:Lack of authentication for important features (CWE-306) [IPA Evaluation ]

Trust: 0.8

problemtype:SQL injection (CWE-89) [IPA Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-392918 // JVNDB: JVNDB-2021-001742 // NVD: CVE-2021-32932

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01

Trust: 5.6

title:Support & Downloadurl:https://www.advantech.com/support/details/firmware?id=1-HIPU-183

Trust: 0.8

title:Advantech Iview SQL Repair measures for injecting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152916

Trust: 0.6

sources: ZDI: ZDI-21-656 // ZDI: ZDI-21-655 // ZDI: ZDI-21-654 // ZDI: ZDI-21-653 // ZDI: ZDI-21-652 // ZDI: ZDI-21-651 // ZDI: ZDI-21-650 // ZDI: ZDI-21-649 // JVNDB: JVNDB-2021-001742 // CNNVD: CNNVD-202106-250

EXTERNAL IDS

db:NVDid:CVE-2021-32932

Trust: 8.1

db:ICS CERTid:ICSA-21-154-01

Trust: 2.5

db:ZDIid:ZDI-21-656

Trust: 1.3

db:JVNid:JVNVU92160646

Trust: 0.8

db:JVNDBid:JVNDB-2021-001742

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-13141

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-13137

Trust: 0.7

db:ZDIid:ZDI-21-655

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-11846

Trust: 0.7

db:ZDIid:ZDI-21-654

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-11838

Trust: 0.7

db:ZDIid:ZDI-21-653

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-11837

Trust: 0.7

db:ZDIid:ZDI-21-652

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-11836

Trust: 0.7

db:ZDIid:ZDI-21-651

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-11834

Trust: 0.7

db:ZDIid:ZDI-21-650

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-11833

Trust: 0.7

db:ZDIid:ZDI-21-649

Trust: 0.7

db:CNNVDid:CNNVD-202106-250

Trust: 0.7

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021060407

Trust: 0.6

db:AUSCERTid:ESB-2021.1970

Trust: 0.6

db:VULHUBid:VHN-392918

Trust: 0.1

sources: ZDI: ZDI-21-656 // ZDI: ZDI-21-655 // ZDI: ZDI-21-654 // ZDI: ZDI-21-653 // ZDI: ZDI-21-652 // ZDI: ZDI-21-651 // ZDI: ZDI-21-650 // ZDI: ZDI-21-649 // VULHUB: VHN-392918 // JVNDB: JVNDB-2021-001742 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-250 // NVD: CVE-2021-32932

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-21-154-01

Trust: 8.7

url:http://jvn.jp/cert/jvnvu92160646

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021060407

Trust: 0.6

url:https://www.zerodayinitiative.com/advisories/zdi-21-656/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1970

Trust: 0.6

sources: ZDI: ZDI-21-656 // ZDI: ZDI-21-655 // ZDI: ZDI-21-654 // ZDI: ZDI-21-653 // ZDI: ZDI-21-652 // ZDI: ZDI-21-651 // ZDI: ZDI-21-650 // ZDI: ZDI-21-649 // VULHUB: VHN-392918 // JVNDB: JVNDB-2021-001742 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-250 // NVD: CVE-2021-32932

CREDITS

Selim Enes Karaduman (@Enesdex)

Trust: 4.2

sources: ZDI: ZDI-21-654 // ZDI: ZDI-21-653 // ZDI: ZDI-21-652 // ZDI: ZDI-21-651 // ZDI: ZDI-21-650 // ZDI: ZDI-21-649

SOURCES

db:ZDIid:ZDI-21-656
db:ZDIid:ZDI-21-655
db:ZDIid:ZDI-21-654
db:ZDIid:ZDI-21-653
db:ZDIid:ZDI-21-652
db:ZDIid:ZDI-21-651
db:ZDIid:ZDI-21-650
db:ZDIid:ZDI-21-649
db:VULHUBid:VHN-392918
db:JVNDBid:JVNDB-2021-001742
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202106-250
db:NVDid:CVE-2021-32932

LAST UPDATE DATE

2024-08-14T13:13:32.358000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-21-656date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-655date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-654date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-653date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-652date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-651date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-650date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-649date:2021-06-07T00:00:00
db:VULHUBid:VHN-392918date:2021-06-21T00:00:00
db:JVNDBid:JVNDB-2021-001742date:2021-06-07T03:01:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202106-250date:2021-06-15T00:00:00
db:NVDid:CVE-2021-32932date:2021-06-21T22:37:53.433

SOURCES RELEASE DATE

db:ZDIid:ZDI-21-656date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-655date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-654date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-653date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-652date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-651date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-650date:2021-06-07T00:00:00
db:ZDIid:ZDI-21-649date:2021-06-07T00:00:00
db:VULHUBid:VHN-392918date:2021-06-11T00:00:00
db:JVNDBid:JVNDB-2021-001742date:2021-06-07T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202106-250date:2021-06-03T00:00:00
db:NVDid:CVE-2021-32932date:2021-06-11T17:15:11.057