CVE-2019-12720
Description
AUO SunVeillance Monitoring System before v1.1.9e is vulnerable to mvc_send_mail.aspx (MailAdd parameter) SQL Injection. An Attacker can carry a SQL Injection payload to the server, allowing the attacker to read privileged data. This also affects the picture_manage_mvc.aspx plant_no parameter, the swapdl_mvc.aspx plant_no parameter, and the account_management.aspx Text_Postal_Code and Text_Dis_Code parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AUO SunVeillance Monitoring System before v1.1.9e is vulnerable to SQL injection in multiple parameters, allowing unauthenticated attackers to read privileged data.
Vulnerability
AUO SunVeillance Monitoring System versions prior to v1.1.9e contain multiple SQL injection vulnerabilities. The flaw exists in the mvc_send_mail.aspx page, specifically in the MailAdd parameter. Similar SQL injection issues also affect picture_manage_mvc.aspx (parameter: plant_no), swapdl_mvc.aspx (parameter: plant_no), and account_management.aspx (parameters: Text_Postal_Code and Text_Dis_Code) [1]. The application fails to sanitize user-supplied input before passing it to an Oracle database query.
Exploitation
An attacker can trigger the vulnerability without any authentication by accessing the /Solar_Web_Portal/mvc_send_mail.aspx page and injecting a single quotation mark into the MailAdd parameter, which causes an error message revealing database information [1]. Using automated tools like sqlmap, an attacker can extract the full database list from the server by targeting the MailAdd parameter [1]. The other vulnerable parameters (in picture_manage_mvc.aspx, swapdl_mvc.aspx, and account_management.aspx) similarly allow SQL injection without requiring prior authentication.
Impact
Successful exploitation allows an attacker to read privileged data stored in the Oracle database underlying the SunVeillance Monitoring System [1]. This can lead to disclosure of sensitive information, including credentials, system configurations, and other confidential data. The attacker gains unauthorized read access to the entire database contents.
Mitigation
A fix was released in version v1.1.9e of the AUO SunVeillance Monitoring System, which addresses these SQL injection vulnerabilities [1]. All users should upgrade to v1.1.9e or later. No workarounds are documented in the available references. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- AUO/SunVeillance Monitoring Systemdescription
- Range: < 1.1.9e
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the MailAdd parameter (and other parameters) allows an attacker to inject arbitrary SQL commands into the backend Oracle database query."
Attack vector
An unauthenticated attacker sends a crafted HTTP request to the mvc_send_mail.aspx endpoint, injecting a single quote or a full SQL payload into the MailAdd parameter [ref_id=1]. The server passes the unsanitized input directly into an Oracle SQL query, causing error messages that reveal database information and enabling data exfiltration via tools like sqlmap [ref_id=1]. The same injection pattern applies to the plant_no parameter in picture_manage_mvc.aspx and swapdl_mvc.aspx, as well as the Text_Postal_Code and Text_Dis_Code parameters in account_management.aspx [ref_id=1]. No authentication is required to reach these pages [ref_id=1].
Affected code
The vulnerable endpoints are /Solar_Web_Portal/mvc_send_mail.aspx (MailAdd parameter), picture_manage_mvc.aspx (plant_no parameter), swapdl_mvc.aspx (plant_no parameter), and account_management.aspx (Text_Postal_Code and Text_Dis_Code parameters) [ref_id=1]. The advisory does not specify the exact source files or database access functions.
What the fix does
The advisory states that version v1.1.9e fixes the vulnerability, but no patch diff is provided in the bundle [ref_id=1]. The remediation would require parameterized queries or strict input validation on the MailAdd, plant_no, Text_Postal_Code, and Text_Dis_Code parameters to prevent SQL injection. Without the actual patch, the exact code changes are unknown.
Preconditions
- networkAttacker must have network access to the AUO SunVeillance Monitoring System web interface.
- authNo authentication required; the vulnerable pages are accessible without login.
- inputAttacker must supply a malicious SQL payload via one of the vulnerable parameters (MailAdd, plant_no, Text_Postal_Code, Text_Dis_Code).
Reproduction
(1) Access the sending mail page at /Solar_Web_Portal/mvc_send_mail.aspx without authentication. (2) Modify the MailAdd parameter value with a single quotation mark; the error response reveals Oracle database information. (3) Use sqlmap to enumerate databases: sqlmap.py -u "https://<host>/Solar_Web_Portal/mvc_send_mail.aspx?MailAdd=" -p MailAdd --dbs [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- drive.google.com/file/d/1QYgj4FU0MjSIhgXwddg4L5no9KYn8E9v/viewmitrex_refsource_MISC
- www.exploit-db.com/exploits/47542mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.