Advantech WebAccess < 7.1-2013.05.30 Multiple Vulnerabilities

The installed version of Advantech WebAccess is prior to 7.1-2013.05.30 and is affected by the following vulnerabilities :

• A flaw exists in the ‘ProjDesc’ parameter of the ‘/broadWeb/include/gAddNew.asp’ script that is affected by a stored cross-site scripting (XSS) vulnerability. (CVE-2013-2299)
• Multiple flaws exist on an RPC service (‘webvrpcs.exe’) that listens remotely on TCP port 4592. The first is an overflow condition that exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. The second is an information disclosure vulnerability that allows an unauthenticated, remote attacker to obtain the security code value that protects the SCADA node via a long string in an RPC request to TCP port 4592. (CVE-2011-4041)