{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52335", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2024-01-11T20:39:58.816Z", "datePublished": "2024-11-22T20:05:15.175Z", "dateUpdated": "2024-12-05T19:32:34.015Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-11-22T20:05:15.175Z"}, "title": "Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability", "descriptions": [{"lang": "en", "value": "Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863."}], "affected": [{"vendor": "Advantech", "product": "iView", "versions": [{"version": "5.7.04", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-610/", "name": "ZDI-24-610", "tags": ["x_research-advisory"]}, {"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2024-01-11T14:42:51.906-06:00", "datePublic": "2024-06-12T09:10:09.423-05:00", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}]}, "adp": [{"affected": [{"vendor": "advantech", "product": "iview", "cpes": ["cpe:2.3:a:advantech:iview:5.7.04:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.7.04", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-26T15:15:56.906074Z", "id": "CVE-2023-52335", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-05T19:32:34.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52335", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-26T15:15:56.906074Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:advantech:iview:5.7.04:*:*:*:*:*:*:*"], "vendor": "advantech", "product": "iview", "versions": [{"status": "affected", "version": "5.7.04"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-05T19:32:25.125Z"}}], "cna": {"title": "Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Advantech", "product": "iView", "versions": [{"status": "affected", "version": "5.7.04"}], "defaultStatus": "unknown"}], "datePublic": "2024-06-12T09:10:09.423-05:00", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-610/", "name": "ZDI-24-610", "tags": ["x_research-advisory"]}, {"url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2024-01-11T14:42:51.906-06:00", "descriptions": [{"lang": "en", "value": "Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2024-11-22T20:05:15.175Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52335", "state": "PUBLISHED", "dateUpdated": "2024-12-05T19:32:34.015Z", "dateReserved": "2024-01-11T20:39:58.816Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2024-11-22T20:05:15.175Z", "assignerShortName": "zdi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advantech:iview:*:*:*:*:*:*:*:*", "matchCriteriaId": "FFB283D2-9626-493E-AC5C-7B9B507AC546", "versionEndExcluding": "5.7.04.6752", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863."}, {"lang": "es", "value": "Vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n mediante inyecci\u00f3n SQL en ConfigurationServlet de Advantech iView. Esta vulnerabilidad permite a atacantes remotos divulgar informaci\u00f3n confidencial sobre las instalaciones afectadas de Advantech iView. No se requiere autenticaci\u00f3n para explotar esta vulnerabilidad. La falla espec\u00edfica existe dentro del servlet ConfigurationServlet, que escucha en el puerto TCP 8080 de manera predeterminada. Al analizar el elemento column_value, el proceso no valida correctamente una cadena proporcionada por el usuario antes de usarla para construir consultas SQL. Un atacante puede aprovechar esta vulnerabilidad para divulgar credenciales almacenadas, lo que conduce a una mayor vulnerabilidad. Era ZDI-CAN-17863."}], "id": "CVE-2023-52335", "lastModified": "2025-01-09T16:05:53.673", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-22T20:15:07.927", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Release Notes"], "url": "https://www.advantech.com/zh-tw/support/details/firmware?id=1-HIPU-183"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-610/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}

{}

{}