This script is Copyright (C) 2015-2024 and is owned by Tenable, Inc. or an Affiliate thereof.SCADA_ADVANTECH_WEBACCESS_7_2_2013_11_14.NBINAdvantech WebAccess < 7.2-2013.11.14 Multiple Vulnerabilities
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.671 Medium
EPSS
Percentile
98.0%
The remote host has a version of Advantech WebAccess prior to version 7.2-2013.11.14. It is, therefore, affected by multiple vulnerabilities :
-
Multiple SQL Injection vulnerabilities exist in ‘DBVisitor.dll’ that can be exploited via specially crafted SOAP requests. (CVE-2014-0763)
-
Multiple stack-based buffer overflow conditions exist in an ActiveX control. (CVE-2014-0764, CVE-2014-0765, CVE-2014-0766, CVE-2014-0767, CVE-2014-0768)
-
The ‘NodeName’ parameter on the web interface is affected by a buffer overflow vulnerability.
(CVE-2014-0770) -
A flawed ActiveX control allows attackers to read arbitrary files. (CVE-2014-0771, CVE-2014-0772)
-
A flawed ActiveX control allows certain executable names to be run from arbitrary path names.
(CVE-2014-0773)
Binary data scada_advantech_webaccess_7_2_2013_11_14.nbinReferences
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0763
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0764
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0765
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0766
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0767
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0768
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0770
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0771
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0772
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0773
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.671 Medium
EPSS
Percentile
98.0%