Details of VAR-201910-0900

ID

VAR-201910-0900

CVE

CVE-2019-18229

TITLE

Advantech WISE-PaaS/RMM In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-011477

DESCRIPTION

Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information. Advantech WISE-PaaS/RMM Is SQL An injection vulnerability exists.Information may be obtained. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the SQLMgmt class. Advantech WISE-PaaS/RMM is a set of remote monitoring and management platform for Internet of Things equipment of Advantech in Taiwan. The platform supports cloud-based centralized remote IPC, IoT device hardware and software status monitoring and management, and supports remote power on/off and scheduling, data collection and storage

Trust: 9.09

sources: NVD: CVE-2019-18229 // JVNDB: JVNDB-2019-011477 // ZDI: ZDI-19-937 // ZDI: ZDI-19-956 // ZDI: ZDI-19-948 // ZDI: ZDI-19-957 // ZDI: ZDI-19-949 // ZDI: ZDI-19-952 // ZDI: ZDI-19-938 // ZDI: ZDI-19-940 // ZDI: ZDI-19-955 // ZDI: ZDI-19-951 // CNVD: CNVD-2019-43384 // CNNVD: CNNVD-201910-1921 // VULHUB: VHN-150554

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-43384

AFFECTED PRODUCTS

vendor:	advantech	model:	wise-paas/rmm	scope:	-	version:	-	Trust: 7.0
vendor:	advantech	model:	wise-paas\/rmm	scope:	lte	version:	3.3.29	Trust: 1.0
vendor:	advantech	model:	wise-paas/rmm	scope:	lte	version:	3.3.29	Trust: 0.8
vendor:	advantech	model:	wise-paas/rmm	scope:	lte	version:	<=3.3.29	Trust: 0.6

sources: ZDI: ZDI-19-937 // ZDI: ZDI-19-956 // ZDI: ZDI-19-948 // ZDI: ZDI-19-957 // ZDI: ZDI-19-949 // ZDI: ZDI-19-952 // ZDI: ZDI-19-938 // ZDI: ZDI-19-940 // ZDI: ZDI-19-955 // ZDI: ZDI-19-951 // CNVD: CNVD-2019-43384 // JVNDB: JVNDB-2019-011477 // NVD: CVE-2019-18229

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2019-18229
value:	MEDIUM
Trust: 7.0
nvd@nist.gov:	CVE-2019-18229
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-18229
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-43384
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201910-1921
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-150554
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-18229
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-43384
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-150554
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

ZDI:	CVE-2019-18229
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 6.3
nvd@nist.gov:	CVE-2019-18229
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2019-18229
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2019-18229
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-19-937 // ZDI: ZDI-19-956 // ZDI: ZDI-19-948 // ZDI: ZDI-19-957 // ZDI: ZDI-19-949 // ZDI: ZDI-19-952 // ZDI: ZDI-19-938 // ZDI: ZDI-19-940 // ZDI: ZDI-19-955 // ZDI: ZDI-19-951 // CNVD: CNVD-2019-43384 // VULHUB: VHN-150554 // JVNDB: JVNDB-2019-011477 // CNNVD: CNNVD-201910-1921 // NVD: CVE-2019-18229

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-150554 // JVNDB: JVNDB-2019-011477 // NVD: CVE-2019-18229

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-1921

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201910-1921

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-011477

PATCH

title:	Advantech has issued an update to correct this vulnerability.	url:	https://www.us-cert.gov/ics/advisories/icsa-19-304-01	Trust: 7.0
title:	WISE-PaaS/RMM	url:	https://www.advantech.com/products/550836fd-a062-4780-8416-3b742bc7fb16/wise-paas-rmm/mod_8a1ba47e-d09f-4847-b478-42372eea29d1	Trust: 0.8
title:	Patch for Advantech WISE-PaaS / RMM SQL Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/192661	Trust: 0.6

EXTERNAL IDS

db:	NVD	id:	CVE-2019-18229	Trust: 10.1
db:	ICS CERT	id:	ICSA-19-304-01	Trust: 3.1
db:	ZDI	id:	ZDI-19-937	Trust: 2.4
db:	ZDI	id:	ZDI-19-956	Trust: 2.4
db:	ZDI	id:	ZDI-19-948	Trust: 2.4
db:	ZDI	id:	ZDI-19-957	Trust: 2.4
db:	ZDI	id:	ZDI-19-949	Trust: 2.4
db:	ZDI	id:	ZDI-19-952	Trust: 2.4
db:	ZDI	id:	ZDI-19-938	Trust: 2.4
db:	ZDI	id:	ZDI-19-940	Trust: 2.4
db:	ZDI	id:	ZDI-19-955	Trust: 2.4
db:	ZDI	id:	ZDI-19-951	Trust: 2.4
db:	JVNDB	id:	JVNDB-2019-011477	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-9148	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9144	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9177	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9145	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9174	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9146	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9191	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9190	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9143	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-9147	Trust: 0.7
db:	CNNVD	id:	CNNVD-201910-1921	Trust: 0.7
db:	CNVD	id:	CNVD-2019-43384	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.4067	Trust: 0.6
db:	VULHUB	id:	VHN-150554	Trust: 0.1

sources: ZDI: ZDI-19-937 // ZDI: ZDI-19-956 // ZDI: ZDI-19-948 // ZDI: ZDI-19-957 // ZDI: ZDI-19-949 // ZDI: ZDI-19-952 // ZDI: ZDI-19-938 // ZDI: ZDI-19-940 // ZDI: ZDI-19-955 // ZDI: ZDI-19-951 // CNVD: CNVD-2019-43384 // VULHUB: VHN-150554 // JVNDB: JVNDB-2019-011477 // CNNVD: CNNVD-201910-1921 // NVD: CVE-2019-18229

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-19-304-01	Trust: 10.1
url:	https://www.zerodayinitiative.com/advisories/zdi-19-957/	Trust: 2.3
url:	https://www.zerodayinitiative.com/advisories/zdi-19-937/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-938/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-940/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-948/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-949/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-951/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-952/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-955/	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-19-956/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-18229	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-18229	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2019.4067/	Trust: 0.6

sources: ZDI: ZDI-19-937 // ZDI: ZDI-19-956 // ZDI: ZDI-19-948 // ZDI: ZDI-19-957 // ZDI: ZDI-19-949 // ZDI: ZDI-19-952 // ZDI: ZDI-19-938 // ZDI: ZDI-19-940 // ZDI: ZDI-19-955 // ZDI: ZDI-19-951 // CNVD: CNVD-2019-43384 // VULHUB: VHN-150554 // JVNDB: JVNDB-2019-011477 // CNNVD: CNNVD-201910-1921 // NVD: CVE-2019-18229

CREDITS

rgod of 9sg

Trust: 7.6

SOURCES

db:	ZDI	id:	ZDI-19-937
db:	ZDI	id:	ZDI-19-956
db:	ZDI	id:	ZDI-19-948
db:	ZDI	id:	ZDI-19-957
db:	ZDI	id:	ZDI-19-949
db:	ZDI	id:	ZDI-19-952
db:	ZDI	id:	ZDI-19-938
db:	ZDI	id:	ZDI-19-940
db:	ZDI	id:	ZDI-19-955
db:	ZDI	id:	ZDI-19-951
db:	CNVD	id:	CNVD-2019-43384
db:	VULHUB	id:	VHN-150554
db:	JVNDB	id:	JVNDB-2019-011477
db:	CNNVD	id:	CNNVD-201910-1921
db:	NVD	id:	CVE-2019-18229

LAST UPDATE DATE

2024-11-23T22:11:47.423000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-19-937	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-956	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-948	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-957	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-949	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-952	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-938	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-940	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-955	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-951	date:	2019-11-01T00:00:00
db:	CNVD	id:	CNVD-2019-43384	date:	2019-12-03T00:00:00
db:	VULHUB	id:	VHN-150554	date:	2019-11-05T00:00:00
db:	JVNDB	id:	JVNDB-2019-011477	date:	2019-11-08T00:00:00
db:	CNNVD	id:	CNNVD-201910-1921	date:	2021-05-18T00:00:00
db:	NVD	id:	CVE-2019-18229	date:	2024-11-21T04:32:53.037

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-19-937	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-956	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-948	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-957	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-949	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-952	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-938	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-940	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-955	date:	2019-11-01T00:00:00
db:	ZDI	id:	ZDI-19-951	date:	2019-11-01T00:00:00
db:	CNVD	id:	CNVD-2019-43384	date:	2019-12-02T00:00:00
db:	VULHUB	id:	VHN-150554	date:	2019-10-31T00:00:00
db:	JVNDB	id:	JVNDB-2019-011477	date:	2019-11-08T00:00:00
db:	CNNVD	id:	CNNVD-201910-1921	date:	2019-10-31T00:00:00
db:	NVD	id:	CVE-2019-18229	date:	2019-10-31T22:15:11.020