CVE-2019-12720

HIGH

AUO SunVeillance Monitoring System < 1.1.9e - SQL Injection via mvc_send_mail.aspx MailAdd Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12720. PoCs published by Luca.Chiou.

AI-analyzed exploit summary This is a writeup describing SQL injection vulnerabilities in AUO SunVeillance Monitoring System. It details multiple endpoints and parameters vulnerable to SQLi, including steps to exploit using sqlmap.

Description

AUO SunVeillance Monitoring System before v1.1.9e is vulnerable to mvc_send_mail.aspx (MailAdd parameter) SQL Injection. An Attacker can carry a SQL Injection payload to the server, allowing the attacker to read privileged data. This also affects the picture_manage_mvc.aspx plant_no parameter, the swapdl_mvc.aspx plant_no parameter, and the account_management.aspx Text_Postal_Code and Text_Dis_Code parameters.

Exploits (1)

exploitdb WRITEUP
by Luca.Chiou · textwebappshardware
https://www.exploit-db.com/exploits/47542

This is a writeup describing SQL injection vulnerabilities in AUO SunVeillance Monitoring System. It details multiple endpoints and parameters vulnerable to SQLi, including steps to exploit using sqlmap.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: AUO SunVeillance Monitoring System all versions prior to v1.1.9e
No auth needed
Prerequisites: Access to the target web interface · sqlmap or similar tool for exploitation
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://drive.google.com/file/d/1QYgj4FU0MjSIhgXwddg4L5no9KYn8E9v/view
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/47542

Scores

CVSS v3 7.5
EPSS 0.0168
EPSS Percentile 74.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-89
Status published
Products (1)
auo/sunveillance_monitoring_system_\&_data_recorder < 1.1.9e
Published Nov 12, 2019
Tracked Since Feb 18, 2026