103 matches found
CVE-2021-38389
This CVE affects Advantech WebAccess (versions 9.02 and earlier). A stack-based buffer overflow vulnerability exists in the handling of IOCTL 0x1138B, allowing remote code execution with no authentication required. ZDI reports that the flaw can be exploited by remote attackers to execute code in ...
CVE-2015-3946
CVE-2015-3946 (Advantech WebAccess) : A CSRF vulnerability exists in WebAccess prior to version 8.1 that can allow remote attackers to hijack user authentication. Affected product: Advantech WebAccess (HMI/SCADA software). Root cause: cross-site request forgery enabling unauthorized actions in au...
CVE-2020-12010
CVE-2020-12010 affects Advantech WebAccess Node (versions 8.4.4 and prior; 9.0.0). The vulnerability is a relative path traversal in the WebAccess Node application that can let an authenticated user craft a file to delete files outside the application's control. Documented impact includes potenti...
CVE-2016-0854
Affected product: Advantech WebAccess, specifically the Dashboard Viewer component of WebAccess prior to version 8.1. Vulnerability summary: Unrestricted upload of a file with dangerous type via the UploadAjaxAction script (uploadImageCommon/uploadFile/uploadBannerImage paths) in the WebAccess Da...
CVE-2017-12719
CVE-2017-12719 is an Untrusted Pointer Dereference in Advantech WebAccess prior to V8.2_20170817. Multiple connected sources (ZDI advisories) document a remote code execution vulnerability in the webvrpcs/drawsrv components via improper validation of user-supplied pointers, allowing an unauthenti...
CVE-2018-10590
The CVE-2018-10590 entry describes an information exposure vulnerability in Advantech WebAccess family products (WebAccess, WebAccess Dashboard, WebAccess Scada Node, WebAccess/NMS) across versions including V8.2_20170817 and prior, V8.3.0 and prior, Dashboard 2.0.15 and prior, Scada Node prior t...
CVE-2018-8841
CVE-2018-8841 affects Advantech WebAccess products (WebAccess, Dashboard, Scada Node, NMS) up to specific versions; the flaw is improper privilege management that lets an authenticated user modify files that should be read-only. Reported by multiple sources (ZDI/CISA ICS) with a CVSSv3 base score...
CVE-2020-12006
Affected product. Advantech WebAccess Node (HMI platform). Vulnerabilities. Multiple relative path traversal issues in WebAccess Node versions 8.4.4 and earlier, and 9.0.0 and earlier, may allow a low-privilege user to overwrite files outside the application’s control. Red Hat and NVD entries cor...
CVE-2020-16202
Advantech WebAccess Node is affected: all versions prior to 9.0.1 have incorrect permissions for resources used by specific services, potentially enabling code execution with system privileges (CWE-732). Affected product: WebAccess Node (HMI platform). Root cause: incorrect resource permissions. ...
CVE-2017-5154
The CVE-2017-5154 issue affects Advantech WebAccess 8.1, where an SQL injection vulnerability exists in updateTemplate.aspx. The underlying flaw is insufficient input validation, enabling an attacker to craft inputs that could grant administrative access to the application and its data files. Pub...
CVE-2018-7503
CVE-2018-7503 is a path traversal vulnerability affecting Advantech WebAccess family prior to 8.3.1, including WebAccess, WebAccess Dashboard, WebAccess Scada Node, and WebAccess/NMS. The root cause is improper validation in the DownloadAction/servlet pathway, allowing an attacker to disclose sen...
CVE-2018-8845
CVE-2018-8845 is a heap-based buffer overflow in Advantech WebAccess products (versions: V8.2_20170817 and prior; V8.3.0 and prior; WebAccess Dashboard 2.0.15 and prior; WebAccess Scada Node before 8.3.1; WebAccess/NMS 2.0.3 and prior) that may allow remote code execution. The root cause is heap-...
CVE-2020-12026
Advantech WebAccess Node is affected: versions 8.4.4 and earlier, and 9.0.0, contain relative path traversal vulnerabilities that may allow a low-privilege user to overwrite files outside the application’s control. Connected sources (ZDI advisories and the US-CISA/ICS advisory) describe IOCTL-dri...
CVE-2023-2866
Summary: CVE-2023-2866 affects Advantech WebAccess/SCADA 8.4.5. The issue is described as Insufficient Type Distinction (CWE-351). An attacker who can trick an authenticated user into loading a maliciously crafted .zip file could use a web shell to gain full control of the SCADA server. The CVSS ...
CVE-2018-10589
The connected advisories confirm a path traversal vulnerability in Advantech WebAccess components (notably webvrpcs) that can lead to remote code execution. Affected: WebAccess WebAccess versions up to 8.2_20170817, 8.3.0 and prior; WebAccess Dashboard up to 2.0.15; WebAccess Scada Node prior to ...
CVE-2019-3940
CVE-2019-3940 affects Advantech WebAccess 8.3.4. The vulnerability is a file upload issue via an unauthenticated RPC call, enabling a remote attacker to execute arbitrary code. No exploit details or remediation/version fix are provided in the supplied documents; impact is indicated as remote code...
CVE-2020-12018
Advantech WebAccess Node (HMI platform) is affected by CVE-2020-12018 via an out-of-bounds read in IOCTL handling of ViewSrv.dll/DrawSrv.dll, exposing unauthorized data. Affected versions are WebAccess Node 8.4.4 and prior, and 9.0.0. The vulnerability enables information disclosure without authe...
CVE-2015-6467
CVE-2015-6467 affects Advantech WebAccess (HMI/SCADA) prior to version 8.1. The vulnerability is a remote code execution via a browser plugin, allowing an attacker to run arbitrary code on the target. Connected sources confirm a remote-exploit scenario and that Advantech released WebAccess 8.1 to...
CVE-2021-38408
CVE-2021-38408 affects Advantech WebAccess (versions 9.02 and earlier). The vulnerability is a stack-based buffer overflow caused by improper validation of the length of user-supplied data, potentially enabling remote code execution. Public documentation consistently describes impact as remote co...
CVE-2017-12702
CVE-2017-12702 affects Advantech WebAccess prior to version V8.2_20170817. The issue is an Externally Controlled Format String (CWE-134): string format specifiers based on user input are not properly validated, potentially enabling arbitrary code execution. The vulnerability is associated with th...
CVE-2017-12704
Advantech WebAccess is affected by a HEAP-BASED BUFFER OVERFLOW (CVE-2017-12704) in versions prior to V8.2_20170817. The issue arises from improper validation of the length of user-supplied data before copying to a heap buffer, potentially allowing arbitrary code execution under the process. Affe...
CVE-2018-14816
CVE-2018-14816 maps to multiple stack-based buffer overflow flaws in Advantech WebAccess components. Connected advisories (ZDI-18-1300, -1302, -1303, -1304, -1305, -1306, -1307, -1300? and related CNVD) describe remote code execution via careless validation of user-supplied data copied into fixed...
CVE-2023-4215
Advantech WebAccess 9.1.3 is affected by CVE-2023-4215, an information-disclosure vulnerability that could leak user credentials via the Cloud Agent Debug service when configuring or modifying account information. The vulnerability is documented across multiple sources (NVD/NVD-ICS, CISA ICS advi...
CVE-2017-12708
CVE-2017-12708 affects Advantech WebAccess versions prior to V8.2_20170817. It is an improper restriction of operations within the bounds of a memory buffer (CWE-119) that could allow referencing invalid memory locations, potentially enabling arbitrary code execution or a crash. Multiple connecte...
CVE-2017-5175
CVE-2017-5175 affects Advantech WebAccess 8.1 and earlier and is a DLL hijacking vulnerability. An attacker could cause the application to load a malicious DLL from the search path, leading to arbitrary code execution on the affected system. Connected sources corroborate affected software version...
CVE-2018-7497
The CVE-2018-7497 entry relates to Advantech WebAccess/WebAccess Node components with untrusted pointer dereference flaws exposed via multiple webvrpcs IOCTL interfaces. The ZDI advisories (ZDI-18-491/492/493/494/495/496 and related variants) describe remote code execution opportunities where an ...
CVE-2018-7501
The CVE describes multiple SQL injection vulnerabilities in Advantech WebAccess family products prior to certain versions, leading to potential disclosure of sensitive host information. Connected advisories (ZDI) detail specific vulnerable entry points in BWMobileService.dll used by WebAccess Nod...
CVE-2019-3941
Advantech WebAccess 8.3.4 is affected by CVE-2019-3941. The vulnerability allows unauthenticated, remote attackers to delete arbitrary files via IOCTL 10005 RPC. Affected product: Advantech WebAccess (version 8.3.4). Root cause: improper handling of IOCTL 10005 RPC leading to arbitrary file delet...
CVE-2019-3942
Affected product : Advantech WebAccess 8.3.4. Vulnerability : An access-control error in a remote procedure call (RPC) allows unauthenticated, remote users to read files. Root cause: insufficient restriction on RPC calls leading to exposure of sensitive files; attacker could recover the administr...
CVE-2016-0858
CVE-2016-0858 affects Advantech WebAccess prior to 8.1. A race condition in the WebAccess components can be triggered by a crafted request, enabling remote attackers to execute arbitrary code or cause a denial of service via a buffer overflow. Public sources identify this as a remote-exploit scen...
CVE-2016-5810
Advantech WebAccess vulnerable upAdminPg.asp (before 8.1_20160519) exposes password information to remote authenticated administrators via unspecified vectors. The CVE-2016-5810 issue is classified as an information-disclosure vulnerability in the upAdminPg.asp component, enabling an admin higher...
CVE-2017-12710
CVE-2017-12710 corresponds to an SQL injection vulnerability in Advantech WebAccess, affecting versions prior to V8.2_20170817. The vulnerability arises from insufficient validation of input used to construct SQL queries (rmTemplate.aspx context per ZDI advisory), potentially allowing an attacker...
CVE-2017-7929
CVE-2017-7929 is an Absolute Path Traversal vulnerability in Advantech WebAccess (versions 8.1 and earlier). The issue allows an attacker to traverse the file system and access restricted files or directories via network-accessible input, due to insufficient input filtering in the WebAccess web i...
CVE-2018-7505
Advantech WebAccess/NMS is affected by CVE-2018-7505 described by ZDI-18-470 as an unrestricted file upload in the TFTP service that allows remote code execution. The flaw, in the TFTP configuration, permits uploading arbitrary files with no authentication, enabling code execution under SYSTEM on...
CVE-2017-16732
CVE-2017-16732 affects Advantech WebAccess prior to version 8.3. It is a use-after-free vulnerability allowing an unauthenticated attacker to specify an arbitrary address, potentially crashing the device or enabling further impact. The incident is documented across multiple sources (NVD/NV D summ...
CVE-2017-16753
CVE-2017-16753 is an improper input validation vulnerability affecting Advantech WebAccess before 8.3. WebAccess may crash due to certain inputs; CVSSv3Base 5.0 (N/A for confidentiality/integrity, Availability High) with network access and low attack complexity. ICS-CERT/NCCIC advisories (ICSA-18...
CVE-2018-14806
Advantech WebAccess CVE-2018-14806 is a path traversal vulnerability in WebAccess 8.3.1 and earlier that could allow an attacker to execute arbitrary code. Affected software: Advantech WebAccess (versions 8.3.1 and prior). Root cause: path traversal in handling file paths/execution flow enabling ...
CVE-2018-15706
The CVE-2018-15706 vulnerability affects Advantech WebAccess WADashboard API (versions 8.3.1 and 8.3.2). The readFile API is vulnerable to a directory traversal flaw that allows remote authenticated attackers to read arbitrary files on the server filesystem. The issue is caused by insufficient va...
CVE-2016-0859
Summary: CVE-2016-0859 affects Advantech WebAccess before 8.1. The vulnerability is an integer overflow in the Kernel service that can be triggered by a crafted RPC request, leading to remote code execution or a denial of service (stack-based buffer overflow). Affected product/version: WebAccess ...
CVE-2017-16736
Summary: CVE-2017-16736 affects Advantech WebAccess prior to 8.3. The root cause is insufficient input validation of the picfile parameter in gmicons.asp, enabling a remote attacker to perform an arbitrary file upload. Impact (as described): Remote arbitrary file upload could enable further compr...
CVE-2018-14828
Summary: CVE-2018-14828 affects Advantech WebAccess 8.3.1 and earlier, through an improper privilege management vulnerability that can allow an attacker to access files and perform actions at administrator level. Affected product/condition: WebAccess on vulnerable installs; the flaw arises from a...
CVE-2018-17908
CVE-2018-17908 affects Advantech WebAccess (versions 8.3.2 and prior). The root cause is improper access control: the installer disables User Account Control and does not re-enable it after installation, allowing local privilege escalation to the Administrator context. Connected advisories confir...
CVE-2016-0851
CVE-2016-0851 affects Advantech WebAccess prior to 8.1. The issue arises from a memory safety flaw (out-of-bounds access) that can be triggered remotely, leading to a denial of service. ZDI documents a separate vulnerable path in the BwOpcSvc.dll 0x13881 IOCTL implementation, described as an unco...
CVE-2016-4528
CVE-2016-4528 is a classic buffer overflow in Advantech WebAccess (pre-8.1_20160519). A specially crafted DLL file can trigger the overflow when the vulnerable WebAccess runs, with local user interaction; ICS-CERT notes it could allow code to be inserted and run, while other sources describe pote...
CVE-2018-14820
Advantech WebAccess 8.3.1 and earlier are affected by CVE-2018-14820 due to a .dll component that permits external control of file name or path, enabling arbitrary file deletion when processing. Exploitation is described as remote and unauthenticated in vendor advisories and ZDI reports, with the...
CVE-2019-3951
Summary: CVE-2019-3951 affects Advantech WebAccess (HMI/SCADA) prior to 8.4.3. The issue is a stack-based buffer overflow in the webvrpcs service when processing IOCTL 70533 RPC messages, allowing unauthenticated remote attackers to execute arbitrary code or cause memory corruption, potentially l...
CVE-2016-0853
Advantech WebAccess (HMI/SCADA) before version 8.1 is affected by CVE-2016-0853, enabling remote attackers to obtain sensitive information via crafted input. The advisory notes the issue is tied to input handling and results in information disclosure. Advantech released WebAccess 8.1 to address v...
CVE-2016-4525
Summary: CVE-2016-4525, CVE-2016-4528 and CVE-2016-5810 affect Advantech WebAccess prior to version 8.1_20160519. The issues arise from unsafe ActiveX controls marked as safe-for-scripting (CVE-2016-4525), a buffer overflow via crafted DLLs (CVE-2016-4528), and information exposure where an authe...
CVE-2021-34540
Affected software: Advantech WebAccess 8.4.2 and 8.4.4. Vulnerability: Cross-site scripting (XSS) via the username field on the bwRoot.asp page of the WADashboard. Root cause/condition: reflected/injected XSS context is implied by the description, but explicit technical details about the root cau...
CVE-2016-0852
CVE-2016-0852 affects Advantech WebAccess (pre-8.1). The vulnerability, described in ICS-CERT and CVE records, allows remote attackers to bypass an administrative requirement and gain access to files/folders via unspecified vectors. Affected versions include WebAccess 8.0 and earlier. Impact desc...