CVE-2021-21923: 
Advantech R-SeeNet vulnerability analysis and mitigation

CVE-2021-21923 is a SQL injection vulnerability discovered in the Advantech R-SeeNet software version 2.4.15 (30.07.2021). The vulnerability exists in the 'user_list' page, specifically in the 'company_filter' parameter. It was discovered by Yuri Kramarz of Cisco Talos and publicly disclosed on November 22, 2021 (Talos Report).

The vulnerability occurs due to improper handling of the 'company_filter' parameter in the user_list.php file. When a company_filter parameter is set as a session variable, it is used to build an SQL query without proper parameter binding, despite initial sanitization attempts. The vulnerability has a CVSS v3.0 base score of 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and is classified as CWE-89 (SQL Injection) (Talos Report).

A successful exploitation of this vulnerability could allow an authenticated attacker to perform SQL injection attacks against the database. The attacker could potentially retrieve sensitive information from the application's database through specially crafted HTTP requests (Talos Report).

The vulnerability was patched by the vendor on November 16, 2021. Users are recommended to upgrade to version 2.4.17 or later to address this vulnerability (CISA Advisory).