44 matches found
CVE-2014-0772
The BWOCXRUN.BwocxrunCtrl.1 control contains a method namedOpenUrlToBufferTimeout. This method takes a URL as a parameter andreturns its contents to the caller in JavaScript. The URLs are accessedin the security context of the current browser session. The control doesnot perform any URL validation ...
CVE-2014-0763
An attacker using SQL injection may use arguments to construct querieswithout proper sanitization. The DBVisitor.dll is exposed through SOAPinterfaces, and the exposed functions are vulnerable to SOAP injection.This may allow unexpected SQL action and access to records in the tableof the software d...
CVE-2012-0236
Advantech/BroadWin WebAccess 7.0 and earlier allows remote attackers to obtain sensitive information via a direct request to a URL. NOTE: the vendor reportedly "does not consider it to be a security risk."
CVE-2014-0764
By providing an overly long string to the NodeName parameter, anattacker may be able to overflow the static stack buffer. The attackermay then execute code on the target device remotely.
CVE-2014-0991
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter.
CVE-2014-0771
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named“OpenUrlToBuffer.” This method takes a URL as a parameter and returnsits contents to the caller in JavaScript. The URLs are accessed in thesecurity context of the current browser session. The control does notperform any URL validation and a...
CVE-2014-2367
The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.
CVE-2014-0767
An attacker may exploit this vulnerability by passing an overly longvalue from the AccessCode argument to the control. This will overflowthe static stack buffer. The attacker may then execute code on thetarget device remotely.
CVE-2014-0766
An attacker can exploit this vulnerability by copying an overly longNodeName2 argument into a statically sized buffer on the stack tooverflow the static stack buffer. An attacker may use this vulnerabilityto remotely execute arbitrary code.
CVE-2011-4523
Cross-site scripting (XSS) vulnerability in bwview.asp in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVE-2014-0986
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.
CVE-2014-0765
To exploit this vulnerability, the attacker sends data from the GotoCmdargument to control. If the value of the argument is overly long, thestatic stack buffer can be overflowed. This will allow the attacker toexecute arbitrary code remotely.
CVE-2014-0770
By providing an overly long string to the UserName parameter, anattacker may be able to overflow the static stack buffer. The attackermay then execute code on the target device remotely.
CVE-2014-0773
The BWOCXRUN.BwocxrunCtrl.1 control contains a method named“CreateProcess.” This method contains validation to ensure an attackercannot run arbitrary command lines. After validation, the valuessupplied in the HTML are passed to the Windows CreateProcessA API. The validation can be bypassed allowing...
CVE-2014-2368
The BrowseFolder method in the bwocxrun ActiveX control in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.
CVE-2014-0768
An attacker may pass an overly long value from the AccessCode2 argumentto the control to overflow the static stack buffer. The attacker maythen remotely execute arbitrary code.
CVE-2014-0988
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.
CVE-2014-2364
Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10)...
CVE-2014-0985
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.
CVE-2011-4524
Buffer overflow in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code via a long string value in unspecified parameters.
CVE-2012-1234
SQL injection vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to execute arbitrary SQL commands via a malformed URL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0234.
CVE-2012-0234
SQL injection vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary SQL commands via a malformed URL.
CVE-2012-0241
Advantech/BroadWin WebAccess before 7.0 allows remote attackers to cause a denial of service (memory corruption) via a modified stream identifier to a function.
CVE-2012-0242
Format string vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code via format string specifiers in a message string.
CVE-2012-0243
Buffer overflow in an ActiveX control in bwocxrun.ocx in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code by leveraging the ability to write arbitrary content to any pathname.
CVE-2014-2366
upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.
CVE-2011-4522
Cross-site scripting (XSS) vulnerability in bwerrdn.asp in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVE-2011-4525
Advantech/BroadWin WebAccess before 7.0 allows remote attackers to trigger the extraction of arbitrary web content into a batch file on a client system, and execute this batch file, via unspecified vectors.
CVE-2012-0233
Cross-site scripting (XSS) vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to inject arbitrary web script or HTML via a malformed URL.
CVE-2011-4521
SQL injection vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary SQL commands via crafted string input.
CVE-2012-0237
Advantech/BroadWin WebAccess before 7.0 allows remote attackers to (1) enable date and time syncing or (2) disable date and time syncing via a crafted URL.
CVE-2012-0235
Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2014-0992
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter.
CVE-2014-2365
Unspecified vulnerability in Advantech WebAccess before 7.2 allows remote authenticated users to create or delete arbitrary files via unknown vectors.
CVE-2012-0240
GbScriptAddUp.asp in Advantech/BroadWin WebAccess before 7.0 does not properly perform authentication, which allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2012-0244
Multiple SQL injection vulnerabilities in Advantech/BroadWin WebAccess before 7.0 allow remote attackers to execute arbitrary SQL commands via crafted string input.
CVE-2014-0987
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.
CVE-2011-4526
Buffer overflow in an ActiveX control in Advantech/BroadWin WebAccess before 7.0 might allow remote attackers to execute arbitrary code via a long string value in unspecified parameters.
CVE-2012-0238
Stack-based buffer overflow in opcImg.asp in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2013-2299
Cross-site scripting (XSS) vulnerability in Advantech WebAccess (formerly BroadWin WebAccess) before 7.1 2013.05.30 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-0989
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.
CVE-2012-0239
uaddUpAdmin.asp in Advantech/BroadWin WebAccess before 7.0 does not properly perform authentication, which allows remote attackers to modify an administrative password via a password-change request.
CVE-2012-1235
Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0235.
CVE-2014-0990
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter.