CVE-2021-21917

Vulnerability

An exploitable SQL injection vulnerability exists in the group_list page of Advantech R-SeeNet version 2.4.15 (30.07.2021) [1]. The vulnerability is triggered via a specially-crafted HTTP request targeting the ord parameter [1]. The root cause is the misuse of prepared statements combined with SQL concatenation in stored procedures; variables that are initially sanitized lose that protection when the final prepared statement is executed from a dynamic SQL variable without parameter bindings [1].

Exploitation

An attacker can exploit this vulnerability by sending an authenticated HTTP request with a malicious ord parameter to the group_list page [1]. The attacker can make these requests as any authenticated user, or can leverage cross-site request forgery (CSRF) to trick a legitimate user into performing the request [1]. No special privileges beyond a valid session are required.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the backend database, leading to unauthorized read access to sensitive data [1]. According to the CVSS vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), this can result in high confidentiality impact with no impact on integrity or availability, and the scope is changed [1].

Mitigation

At the time of disclosure (2021-12-22), no official patch or fixed version was available [1]. Users should monitor the vendor's advisory page for updates, restrict network access to the R-SeeNet web interface, and implement CSRF protections such as anti-CSRF tokens [1]. If no fix is released, consider upgrading to a supported version or replacing the product.