Sign-up

ID

VAR-202206-2050


CVE

CVE-2022-2135


TITLE

Advantech iView setTaskEditorItem DESCRIPTION SQL Injection Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-919

DESCRIPTION

The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the CREATE_DATE element of the removeSearchDevicesFromTask action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise

Trust: 11.7

sources: NVD: CVE-2022-2135 // ZDI: ZDI-22-918 // ZDI: ZDI-22-881 // ZDI: ZDI-22-882 // ZDI: ZDI-22-891 // ZDI: ZDI-22-892 // ZDI: ZDI-22-894 // ZDI: ZDI-22-901 // ZDI: ZDI-22-902 // ZDI: ZDI-22-919 // ZDI: ZDI-22-911 // ZDI: ZDI-22-912 // ZDI: ZDI-22-913 // ZDI: ZDI-22-914 // ZDI: ZDI-22-915 // ZDI: ZDI-22-916 // ZDI: ZDI-22-917 // ZDI: ZDI-22-904 // VULHUB: VHN-426269

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 11.9

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-912 // ZDI: ZDI-22-911 // ZDI: ZDI-22-904 // ZDI: ZDI-22-902 // ZDI: ZDI-22-901 // ZDI: ZDI-22-894 // ZDI: ZDI-22-892 // ZDI: ZDI-22-891 // ZDI: ZDI-22-882 // ZDI: ZDI-22-881 // NVD: CVE-2022-2135

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-2135
value: HIGH

Trust: 9.8

ZDI: CVE-2022-2135
value: CRITICAL

Trust: 2.1

nvd@nist.gov: CVE-2022-2135
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2135
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202206-2713
value: HIGH

Trust: 0.6

ZDI: CVE-2022-2135
baseSeverity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 9.8

ZDI: CVE-2022-2135
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 2.1

nvd@nist.gov: CVE-2022-2135
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 2.0

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-912 // ZDI: ZDI-22-911 // ZDI: ZDI-22-904 // ZDI: ZDI-22-902 // ZDI: ZDI-22-901 // ZDI: ZDI-22-894 // ZDI: ZDI-22-892 // ZDI: ZDI-22-891 // ZDI: ZDI-22-882 // ZDI: ZDI-22-881 // CNNVD: CNNVD-202206-2713 // NVD: CVE-2022-2135 // NVD: CVE-2022-2135

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

sources: VULHUB: VHN-426269 // NVD: CVE-2022-2135

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2713

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202206-2713

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 11.9

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-912 // ZDI: ZDI-22-911 // ZDI: ZDI-22-904 // ZDI: ZDI-22-902 // ZDI: ZDI-22-901 // ZDI: ZDI-22-894 // ZDI: ZDI-22-892 // ZDI: ZDI-22-891 // ZDI: ZDI-22-882 // ZDI: ZDI-22-881

EXTERNAL IDS

db:NVDid:CVE-2022-2135

Trust: 13.6

db:ICS CERTid:ICSA-22-179-03

Trust: 1.7

db:ZDI_CANid:ZDI-CAN-16750

Trust: 0.7

db:ZDIid:ZDI-22-919

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16529

Trust: 0.7

db:ZDIid:ZDI-22-918

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16535

Trust: 0.7

db:ZDIid:ZDI-22-917

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16561

Trust: 0.7

db:ZDIid:ZDI-22-916

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16585

Trust: 0.7

db:ZDIid:ZDI-22-915

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16562

Trust: 0.7

db:ZDIid:ZDI-22-914

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16591

Trust: 0.7

db:ZDIid:ZDI-22-913

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16751

Trust: 0.7

db:ZDIid:ZDI-22-912

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16531

Trust: 0.7

db:ZDIid:ZDI-22-911

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16592

Trust: 0.7

db:ZDIid:ZDI-22-904

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16731

Trust: 0.7

db:ZDIid:ZDI-22-902

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16530

Trust: 0.7

db:ZDIid:ZDI-22-901

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16649

Trust: 0.7

db:ZDIid:ZDI-22-894

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16547

Trust: 0.7

db:ZDIid:ZDI-22-892

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16564

Trust: 0.7

db:ZDIid:ZDI-22-891

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16647

Trust: 0.7

db:ZDIid:ZDI-22-882

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16552

Trust: 0.7

db:ZDIid:ZDI-22-881

Trust: 0.7

db:CS-HELPid:SB2022062918

Trust: 0.6

db:AUSCERTid:ESB-2022.3141

Trust: 0.6

db:CNNVDid:CNNVD-202206-2713

Trust: 0.6

db:VULHUBid:VHN-426269

Trust: 0.1

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-912 // ZDI: ZDI-22-911 // ZDI: ZDI-22-904 // ZDI: ZDI-22-902 // ZDI: ZDI-22-901 // ZDI: ZDI-22-894 // ZDI: ZDI-22-892 // ZDI: ZDI-22-891 // ZDI: ZDI-22-882 // ZDI: ZDI-22-881 // VULHUB: VHN-426269 // CNNVD: CNNVD-202206-2713 // NVD: CVE-2022-2135

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 13.6

url:https://cxsecurity.com/cveshow/cve-2022-2135/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3141

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062918

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03

Trust: 0.6

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-912 // ZDI: ZDI-22-911 // ZDI: ZDI-22-904 // ZDI: ZDI-22-902 // ZDI: ZDI-22-901 // ZDI: ZDI-22-894 // ZDI: ZDI-22-892 // ZDI: ZDI-22-891 // ZDI: ZDI-22-882 // ZDI: ZDI-22-881 // VULHUB: VHN-426269 // CNNVD: CNNVD-202206-2713 // NVD: CVE-2022-2135

CREDITS

@rgod777

Trust: 7.7

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-912 // ZDI: ZDI-22-904 // ZDI: ZDI-22-902 // ZDI: ZDI-22-894 // ZDI: ZDI-22-891 // ZDI: ZDI-22-882

SOURCES

db:ZDIid:ZDI-22-919
db:ZDIid:ZDI-22-918
db:ZDIid:ZDI-22-917
db:ZDIid:ZDI-22-916
db:ZDIid:ZDI-22-915
db:ZDIid:ZDI-22-914
db:ZDIid:ZDI-22-913
db:ZDIid:ZDI-22-912
db:ZDIid:ZDI-22-911
db:ZDIid:ZDI-22-904
db:ZDIid:ZDI-22-902
db:ZDIid:ZDI-22-901
db:ZDIid:ZDI-22-894
db:ZDIid:ZDI-22-892
db:ZDIid:ZDI-22-891
db:ZDIid:ZDI-22-882
db:ZDIid:ZDI-22-881
db:VULHUBid:VHN-426269
db:CNNVDid:CNNVD-202206-2713
db:NVDid:CVE-2022-2135

LAST UPDATE DATE

2024-12-19T03:26:57.309000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-919date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-918date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-917date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-916date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-915date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-914date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-913date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-912date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-911date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-904date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-902date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-901date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-894date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-892date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-891date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-882date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-881date:2022-06-30T00:00:00
db:VULHUBid:VHN-426269date:2022-07-28T00:00:00
db:CNNVDid:CNNVD-202206-2713date:2022-07-29T00:00:00
db:NVDid:CVE-2022-2135date:2022-07-28T20:10:10.260

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-919date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-918date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-917date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-916date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-915date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-914date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-913date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-912date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-911date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-904date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-902date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-901date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-894date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-892date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-891date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-882date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-881date:2022-06-30T00:00:00
db:VULHUBid:VHN-426269date:2022-07-22T00:00:00
db:CNNVDid:CNNVD-202206-2713date:2022-06-28T00:00:00
db:NVDid:CVE-2022-2135date:2022-07-22T15:15:08.117