本ページは advantech iview に影響する公開済み CVE(NVD の CPE 経由で関連付け)を列挙します。各行に深刻度指標・概要・公開日が含まれます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2022-50595 | Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_search_value’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges. | [email protected] | 9.3 | 0.37% | 2025-11-06 | 2025-11-24 |
| CVE-2022-50594 | Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords. | [email protected] | 8.8 | 0.10% | 2025-11-06 | 2025-11-24 |
| CVE-2022-50593 | Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘search_term’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges. | [email protected] | 9.3 | 0.41% | 2025-11-06 | 2025-12-08 |
| CVE-2022-50592 | Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges. | [email protected] | 9.3 | 0.37% | 2025-11-06 | 2025-11-24 |
| CVE-2022-50591 | Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords. | [email protected] | 8.8 | 0.16% | 2025-11-06 | 2025-11-24 |
| CVE-2025-53519 | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating specific parameters, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities. | [email protected] | 5.1 | 0.05% | 2025-07-11 | 2025-07-23 |
| CVE-2025-53515 | A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. | [email protected] | 8.7 | 0.87% | 2025-07-11 | 2025-08-01 |
| CVE-2025-53509 | A vulnerability exists in Advantech iView that allows for argument injection in the NetworkServlet.restoreDatabase(). This issue requires an authenticated attacker with at least user-level privileges. An input parameter can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials. | [email protected] | 7.1 | 0.06% | 2025-07-11 | 2025-08-01 |
| CVE-2025-53475 | A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. | [email protected] | 8.7 | 1.84% | 2025-07-11 | 2025-07-23 |
| CVE-2025-53397 | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By exploiting this flaw, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities. | [email protected] | 5.1 | 0.05% | 2025-07-11 | 2025-08-01 |
| CVE-2025-52577 | A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. | [email protected] | 8.7 | 0.87% | 2025-07-11 | 2025-07-23 |
| CVE-2025-48891 | A vulnerability exists in Advantech iView that could allow for SQL injection through the CUtils.checkSQLInjection() function. This vulnerability can be exploited by an authenticated attacker with at least user-level privileges, potentially leading to information disclosure or a denial-of-service condition. | [email protected] | 7.2 | 0.20% | 2025-07-11 | 2025-07-23 |
| CVE-2025-46704 | A vulnerability exists in Advantech iView in NetworkServlet.processImportRequest() that could allow for a directory traversal attack. This issue requires an authenticated attacker with at least user-level privileges. A specific parameter is not properly sanitized or normalized, potentially allowing an attacker to determine the existence of arbitrary files on the server. | [email protected] | 5.3 | 0.25% | 2025-07-11 | 2025-07-23 |
| CVE-2025-41442 | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating certain input parameters, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities. | [email protected] | 5.1 | 0.05% | 2025-07-11 | 2025-07-23 |
| CVE-2023-52335 | Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it | [email protected] | 7.5 | 0.43% | 2024-11-22 | 2025-01-09 |
| CVE-2023-3983 | An authenticated SQL injection vulnerability exists in Advantech iView versions prior to v5.7.4 build 6752. An authenticated remote attacker can bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform blind SQL injection. | [email protected] | 8.8 | 0.11% | 2023-07-31 | 2024-11-21 |
| CVE-2022-3323 | An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password. | [email protected] | 7.5 | 0.81% | 2022-09-27 | 2025-05-21 |
| CVE-2022-2143 | The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code. | [email protected] | 9.8 | 58.31% | 2022-07-22 | 2024-11-21 |
| CVE-2022-2142 | The affected product is vulnerable to a SQL injection with high attack complexity, which may allow an unauthorized attacker to disclose information. | [email protected] | 8.1 | 0.16% | 2022-07-22 | 2024-11-21 |
| CVE-2022-2139 | The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code. | [email protected] | 6.5 | 0.38% | 2022-07-22 | 2024-11-21 |