CVE-2021-21920: 
Advantech R-SeeNet vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2021-21920) exists in the 'surname_filter' parameter of the Advantech R-SeeNet version 2.4.15 (30.07.2021) application. The vulnerability was discovered by Yuri Kramarz of Cisco Talos and publicly disclosed on November 22, 2021 (Talos Report).

The vulnerability exists due to misuse of prepared statements in the application's user_list page. When stored procedures are combined with SQL, variables used to build queries lose their sanitization protection when invoked against the database. The vulnerability occurs specifically in the 'surname_filter' parameter where the SQL query is constructed using concatenation rather than proper parameter binding. The CVSS v3.1 base score is 7.7 (HIGH) with vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (SQL Injection) (Talos Report).

A successful exploitation of this vulnerability could allow an authenticated attacker to perform SQL injection attacks and retrieve sensitive information from the application's database. The vulnerability has a high impact on confidentiality but no direct impact on integrity or availability of the system (Talos Report).

The vulnerability was patched by the vendor on November 16, 2021. Users should upgrade to a version newer than R-SeeNet 2.4.15 (Talos Report).