关键信息 漏洞标题: Advantech WebAccess/VPN < 1.1.5 SQL Injection via AjaxStandaloneVpnClientsController 严重性: MEDIUM 发布日期: November 6, 2025 受影响版本: WebAccess/VPN < 1.1.5 CVE编号: CVE-2025-34245 CWE编号: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CVSS评分: 5.3 CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 参考链接: Advantech Advisory 发现者: Alex Williams from Pellera Technologies 漏洞描述: Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.