ID

VAR-202209-1749


CVE

CVE-2022-3323


TITLE

Advantech  Made  iView  In  SQL  Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-002776

DESCRIPTION

An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password. Advantech Provided by the company iView The following vulnerabilities exist in. It was * SQL injection (CWE-89) - CVE-2022-3323 It was 2022 Year 12 Moon 9 As of today, we have confirmed that the demonstration code for this vulnerability has been released.If the vulnerability is exploited, it may be affected as follows. It was * Sensitive information of the product is stolen by a remote third party

Trust: 1.71

sources: NVD: CVE-2022-3323 // JVNDB: JVNDB-2022-002776 // VULHUB: VHN-430947

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope:eqversion:5.7.04.6469

Trust: 1.0

vendor:アドバンテック株式会社model:iviewscope:eqversion: -

Trust: 0.8

vendor:アドバンテック株式会社model:iviewscope:lteversion:5_7_04_6469 and earlier

Trust: 0.8

sources: JVNDB: JVNDB-2022-002776 // NVD: CVE-2022-3323

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-3323
value: HIGH

Trust: 1.0

NVD: CVE-2022-3323
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202209-2819
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-3323
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-3323
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2022-002776 // CNNVD: CNNVD-202209-2819 // NVD: CVE-2022-3323

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

problemtype:SQL injection (CWE-89) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-430947 // JVNDB: JVNDB-2022-002776 // NVD: CVE-2022-3323

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202209-2819

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202209-2819

PATCH

title:iView - Webserver versionurl:https://www.advantech.com/en/support/details/firmware?id=1-HIPU-183

Trust: 0.8

sources: JVNDB: JVNDB-2022-002776

EXTERNAL IDS

db:NVDid:CVE-2022-3323

Trust: 3.3

db:TENABLEid:TRA-2022-32

Trust: 1.7

db:JVNid:JVNVU92856810

Trust: 0.8

db:ICS CERTid:ICSA-22-342-01

Trust: 0.8

db:JVNDBid:JVNDB-2022-002776

Trust: 0.8

db:AUSCERTid:ESB-2022.6439

Trust: 0.6

db:CNNVDid:CNNVD-202209-2819

Trust: 0.6

db:VULHUBid:VHN-430947

Trust: 0.1

sources: VULHUB: VHN-430947 // JVNDB: JVNDB-2022-002776 // CNNVD: CNNVD-202209-2819 // NVD: CVE-2022-3323

REFERENCES

url:https://www.tenable.com/security/research/tra-2022-32

Trust: 1.7

url:https://jvn.jp/vu/jvnvu92856810/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-3323

Trust: 0.8

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-342-01

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-3323/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.6439

Trust: 0.6

sources: VULHUB: VHN-430947 // JVNDB: JVNDB-2022-002776 // CNNVD: CNNVD-202209-2819 // NVD: CVE-2022-3323

SOURCES

db:VULHUBid:VHN-430947
db:JVNDBid:JVNDB-2022-002776
db:CNNVDid:CNNVD-202209-2819
db:NVDid:CVE-2022-3323

LAST UPDATE DATE

2024-08-14T13:53:01.947000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-430947date:2022-09-29T00:00:00
db:JVNDBid:JVNDB-2022-002776date:2022-12-12T05:43:00
db:CNNVDid:CNNVD-202209-2819date:2022-12-12T00:00:00
db:NVDid:CVE-2022-3323date:2022-09-29T16:41:35.093

SOURCES RELEASE DATE

db:VULHUBid:VHN-430947date:2022-09-27T00:00:00
db:JVNDBid:JVNDB-2022-002776date:2022-12-12T00:00:00
db:CNNVDid:CNNVD-202209-2819date:2022-09-27T00:00:00
db:NVDid:CVE-2022-3323date:2022-09-27T23:15:15.867