The vulnerability of extensions for providing access to InTouch Access Anywhere and Plant SCADA Access Anywhere, related to errors in processing the relative path to the catalog, allows a hacker to gain read access to files located outside the protected web server.

🗓️ 03 Apr 2023 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 1 Views

Vulnerability in InTouch Access Anywhere and Plant SCADA Access Anywhere extensions via relative catalog path errors.

Reporter	Title	Published	Views	Family All 19
0day.today	InTouch Access Anywhere Secure Gateway 2020 R2 Path Traversal Vulnerability	9 Sep 202200:00	–	zdt
0day.today	AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal Vulnerability	11 Nov 202200:00	–	zdt
Circl	CVE-2022-23854	24 Dec 202200:14	–	circl
CNNVD	AVEVA InTouch Access Anywhere Secure Gateway 路径遍历漏洞	9 Sep 202200:00	–	cnnvd
CVE	CVE-2022-23854	23 Dec 202220:50	–	cve
Cvelist	CVE-2022-23854	23 Dec 202220:50	–	cvelist
Exploit DB	AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal	11 Nov 202200:00	–	exploitdb
ICS	AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere	8 Dec 202200:00	–	ics
NCSC	Vulnerabilities fixed in Aveva products	16 Mar 202300:00	–	ncsc
Nuclei	AVEVA InTouch Access Anywhere Secure Gateway - Local File Inclusion	10 Jun 202605:11	–	nuclei

Vulners

Node

aveva_software,_llc intouch_access_anywhereRange<2023b

OR

aveva_software,_llc plant_scada_access_anywhereRange<2023

Source	Link
exploit-db	www.exploit-db.com/exploits/51028
cisa	www.cisa.gov/news-events/ics-advisories/icsa-22-342-02
aveva	www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2023-001.pdf
web	www.web.nvd.nist.gov/view/vuln/detail
ics-cert	www.ics-cert.us-cert.gov/advisories/ICSA-22-342-02

03 Apr 2023 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 37.5

CVSS 27.8

EPSS0.92182

InTouch Access Anywhere Plant SCADA Access Catalog Path Errors Outside Web Server