Sign-up

ID

VAR-202206-2050


CVE

CVE-2022-2135


TITLE

Advantech iView setTaskEditorItem DESCRIPTION SQL Injection Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-22-919

DESCRIPTION

The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information. Authentication is not required to exploit this vulnerability.The specific flaw exists within the NetworkServlet endpoint, which listens on TCP port 8080 by default. When parsing the dtInstallDate element of the savePSInfo action, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise

Trust: 11.07

sources: NVD: CVE-2022-2135 // ZDI: ZDI-22-918 // ZDI: ZDI-22-881 // ZDI: ZDI-22-883 // ZDI: ZDI-22-891 // ZDI: ZDI-22-893 // ZDI: ZDI-22-899 // ZDI: ZDI-22-901 // ZDI: ZDI-22-919 // ZDI: ZDI-22-909 // ZDI: ZDI-22-911 // ZDI: ZDI-22-913 // ZDI: ZDI-22-914 // ZDI: ZDI-22-915 // ZDI: ZDI-22-916 // ZDI: ZDI-22-917 // ZDI: ZDI-22-903 // VULHUB: VHN-426269

AFFECTED PRODUCTS

vendor:advantechmodel:iviewscope: - version: -

Trust: 11.2

vendor:advantechmodel:iviewscope:ltversion:5.7.04.6469

Trust: 1.0

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-911 // ZDI: ZDI-22-909 // ZDI: ZDI-22-903 // ZDI: ZDI-22-901 // ZDI: ZDI-22-899 // ZDI: ZDI-22-893 // ZDI: ZDI-22-891 // ZDI: ZDI-22-883 // ZDI: ZDI-22-881 // NVD: CVE-2022-2135

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2022-2135
value: HIGH

Trust: 9.1

ZDI: CVE-2022-2135
value: CRITICAL

Trust: 2.1

nvd@nist.gov: CVE-2022-2135
value: HIGH

Trust: 1.0

ics-cert@hq.dhs.gov: CVE-2022-2135
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202206-2713
value: HIGH

Trust: 0.6

ZDI: CVE-2022-2135
baseSeverity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 9.1

ZDI: CVE-2022-2135
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 2.1

nvd@nist.gov: CVE-2022-2135
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 2.0

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-911 // ZDI: ZDI-22-909 // ZDI: ZDI-22-903 // ZDI: ZDI-22-901 // ZDI: ZDI-22-899 // ZDI: ZDI-22-893 // ZDI: ZDI-22-891 // ZDI: ZDI-22-883 // ZDI: ZDI-22-881 // CNNVD: CNNVD-202206-2713 // NVD: CVE-2022-2135 // NVD: CVE-2022-2135

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.1

sources: VULHUB: VHN-426269 // NVD: CVE-2022-2135

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202206-2713

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202206-2713

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 11.2

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-911 // ZDI: ZDI-22-909 // ZDI: ZDI-22-903 // ZDI: ZDI-22-901 // ZDI: ZDI-22-899 // ZDI: ZDI-22-893 // ZDI: ZDI-22-891 // ZDI: ZDI-22-883 // ZDI: ZDI-22-881

EXTERNAL IDS

db:NVDid:CVE-2022-2135

Trust: 12.9

db:ICS CERTid:ICSA-22-179-03

Trust: 1.7

db:ZDI_CANid:ZDI-CAN-16750

Trust: 0.7

db:ZDIid:ZDI-22-919

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16529

Trust: 0.7

db:ZDIid:ZDI-22-918

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16535

Trust: 0.7

db:ZDIid:ZDI-22-917

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16561

Trust: 0.7

db:ZDIid:ZDI-22-916

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16585

Trust: 0.7

db:ZDIid:ZDI-22-915

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16562

Trust: 0.7

db:ZDIid:ZDI-22-914

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16591

Trust: 0.7

db:ZDIid:ZDI-22-913

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16531

Trust: 0.7

db:ZDIid:ZDI-22-911

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16660

Trust: 0.7

db:ZDIid:ZDI-22-909

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16724

Trust: 0.7

db:ZDIid:ZDI-22-903

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16530

Trust: 0.7

db:ZDIid:ZDI-22-901

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16545

Trust: 0.7

db:ZDIid:ZDI-22-899

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16648

Trust: 0.7

db:ZDIid:ZDI-22-893

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16564

Trust: 0.7

db:ZDIid:ZDI-22-891

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16646

Trust: 0.7

db:ZDIid:ZDI-22-883

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-16552

Trust: 0.7

db:ZDIid:ZDI-22-881

Trust: 0.7

db:CS-HELPid:SB2022062918

Trust: 0.6

db:AUSCERTid:ESB-2022.3141

Trust: 0.6

db:CNNVDid:CNNVD-202206-2713

Trust: 0.6

db:VULHUBid:VHN-426269

Trust: 0.1

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-911 // ZDI: ZDI-22-909 // ZDI: ZDI-22-903 // ZDI: ZDI-22-901 // ZDI: ZDI-22-899 // ZDI: ZDI-22-893 // ZDI: ZDI-22-891 // ZDI: ZDI-22-883 // ZDI: ZDI-22-881 // VULHUB: VHN-426269 // CNNVD: CNNVD-202206-2713 // NVD: CVE-2022-2135

REFERENCES

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-179-03

Trust: 12.9

url:https://cxsecurity.com/cveshow/cve-2022-2135/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.3141

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022062918

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03

Trust: 0.6

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-918 // ZDI: ZDI-22-917 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-911 // ZDI: ZDI-22-909 // ZDI: ZDI-22-903 // ZDI: ZDI-22-901 // ZDI: ZDI-22-899 // ZDI: ZDI-22-893 // ZDI: ZDI-22-891 // ZDI: ZDI-22-883 // ZDI: ZDI-22-881 // VULHUB: VHN-426269 // CNNVD: CNNVD-202206-2713 // NVD: CVE-2022-2135

CREDITS

@rgod777

Trust: 7.0

sources: ZDI: ZDI-22-919 // ZDI: ZDI-22-916 // ZDI: ZDI-22-915 // ZDI: ZDI-22-914 // ZDI: ZDI-22-913 // ZDI: ZDI-22-909 // ZDI: ZDI-22-903 // ZDI: ZDI-22-893 // ZDI: ZDI-22-891 // ZDI: ZDI-22-883

SOURCES

db:ZDIid:ZDI-22-919
db:ZDIid:ZDI-22-918
db:ZDIid:ZDI-22-917
db:ZDIid:ZDI-22-916
db:ZDIid:ZDI-22-915
db:ZDIid:ZDI-22-914
db:ZDIid:ZDI-22-913
db:ZDIid:ZDI-22-911
db:ZDIid:ZDI-22-909
db:ZDIid:ZDI-22-903
db:ZDIid:ZDI-22-901
db:ZDIid:ZDI-22-899
db:ZDIid:ZDI-22-893
db:ZDIid:ZDI-22-891
db:ZDIid:ZDI-22-883
db:ZDIid:ZDI-22-881
db:VULHUBid:VHN-426269
db:CNNVDid:CNNVD-202206-2713
db:NVDid:CVE-2022-2135

LAST UPDATE DATE

2025-07-26T23:07:50.014000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-22-919date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-918date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-917date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-916date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-915date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-914date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-913date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-911date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-909date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-903date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-901date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-899date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-893date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-891date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-883date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-881date:2022-06-30T00:00:00
db:VULHUBid:VHN-426269date:2022-07-28T00:00:00
db:CNNVDid:CNNVD-202206-2713date:2022-07-29T00:00:00
db:NVDid:CVE-2022-2135date:2022-07-28T20:10:10.260

SOURCES RELEASE DATE

db:ZDIid:ZDI-22-919date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-918date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-917date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-916date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-915date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-914date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-913date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-911date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-909date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-903date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-901date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-899date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-893date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-891date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-883date:2022-06-30T00:00:00
db:ZDIid:ZDI-22-881date:2022-06-30T00:00:00
db:VULHUBid:VHN-426269date:2022-07-22T00:00:00
db:CNNVDid:CNNVD-202206-2713date:2022-06-28T00:00:00
db:NVDid:CVE-2022-2135date:2022-07-22T15:15:08.117