CVE-2021-21915

Vulnerability

An exploitable SQL injection vulnerability exists in the group_list page of Advantech R-SeeNet 2.4.15 (30.07.2021). The flaw resides in the company_filter parameter. The application uses stored procedures that concatenate user-supplied input into SQL queries without proper parameter binding, despite initial sanitization, leading to injection. The vulnerable stored procedure sp_GetGroupsCompany builds a dynamic SQL string from unsanitized input. [1]

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the group_list page with a malicious company_filter parameter. The attacker must be an authenticated user, or can trigger the request via cross-site request forgery (CSRF) if a victim is authenticated. No additional privileges beyond a valid session are required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the backend database. This can lead to data exfiltration, including sensitive information from other tables. The impact is primarily to confidentiality, as the attacker can read arbitrary database contents, but not write or modify data. The CVSSv3 score is 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). [1]

Mitigation

As of the advisory publication date (2021-12-22), no patched version of Advantech R-SeeNet has been released. Users should monitor vendor advisories for an update. In the absence of a fix, restricting network access to the application and implementing CSRF protections may reduce risk. The affected version is 2.4.15 (30.07.2021). [1]