Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://www.us-cert.gov/ics/advisories/icsa-19-304-01 | third party advisory us government resource |
| https://www.zerodayinitiative.com/advisories/ZDI-19-949/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-940/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-938/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-951/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-955/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-937/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-956/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-952/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-957/ | vdb entry third party advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-19-948/ | vdb entry third party advisory |