Bird_banner_small4
Advantech WebAccess Node chkLogin2 SQL Injection
TSL ID TSL20180124-12
CVE ID(s) CVE-2018-5443
Severity Moderate
Description

An SQL injection vulnerability has been reported in Advantech WebAccess Node. The vulnerability is due to insufficient validation of input used to construct SQL queries.

A remote attacker could exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation could allow the attacker to access and modify potentially sensitive information.

Advantech has released a software update to address this issue but has not provided any specific advisory regarding the update or the vulnerability.

ICS-CERT has released the following advisory regarding this vulnerability:

https://ics-cert.us-cert.gov/advisories/ICSA-18-023-01

Affected Products
  • Advantech WebAccess prior to 8.2_20170817
CVSS Score Base 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N):
  • Access vector is NETWORK
  • Access complexity is LOW
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is NONE
Temporal 4.7 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
ZDI
References https://ics-cert.us-cert.gov/advisories/ICSA-18-023-01
http://www.advantech.com/industrial-automation/webaccess
Related Threats