CVE-2022-3323
CVSS V2 None
CVSS V3 High 7.5
Description
An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password.
Overview
- CVE ID
- CVE-2022-3323
- Assigner
- vulnreport@tenable.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-09-27T23:15:15
- Last Modified Date
- 2022-09-29T16:41:35
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:advantech:iview:5.7.04.6469:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 7.5
- Base Severity
- HIGH
- Exploitability Score
- 3.9
- Impact Score
- 3.6
References
| Reference URL | Reference Tags |
|---|---|
| https://www.tenable.com/security/research/tra-2022-32 |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-3323 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3323 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-09-28 00:00:08 | Added to TrackCVE | |||
| 2022-12-07 05:00:51 | 2022-09-27T23:15Z | 2022-09-27T23:15:15 | CVE Published Date | updated |
| 2022-12-07 05:00:51 | 2022-09-29T16:41:35 | CVE Modified Date | updated | |
| 2022-12-07 05:00:51 | Analyzed | Vulnerability Status | updated |