Ecava recommends users update to the latest version of its IntegraXor to mitigate a SQL Injection, according to a report with ICS-CERT.
A web SCADA/HMI solution, Ecava IntegraXor v 6.1.1030.1 and prior suffer from the remotely exploitable vulnerability, discovered by Steven Seeley of Source Incite, and Michael DePlante and Brad Taylor working with Zero Day Initiative.
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information from the database or generate an error in the database log.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerability.
A SQL injection vulnerability has been identified, which an attacker can leverage to disclose sensitive information from the database.
CVE-2017-16733 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Another SQL Injection vulnerability has been identified, which generates an error in the database log.
CVE-2017-16735 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use mainly in the critical manufacturing, energy and water and wastewater systems sectors.
It also sees action in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
Malaysia–based Ecava recommends users of affected IntegraXor versions update to version 6.1.1215.0 or newer.