Key Vulnerability Information Title: Advantech iView UpdateTable insertUpdateItem SQL Injection Information Disclosure Vulnerability ID: - ZDI-20-855 - ZDI-CAN-10671 CVE ID: CVE-2020-14497 CVSS Score: 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Vendors: Advantech Affected Products: iView Vulnerability Details Description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. Specific Issue: The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Additional Details Vendor Update: Advantech has issued an update to correct this vulnerability. More details can be found at: https://us-cert.cisa.gov/ics/advisories/icsa-20-196-33 Disclosure Timeline 2020-03-18: Vulnerability reported to vendor 2020-07-16: Coordinated public release of advisory Credit rgod