Webaccess

Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.

Published: 2023-10-16T23:40:37.761Z
Updated: 2025-01-16T21:29:28.472Z

A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.

Published: 2021-09-09T11:24:58.000Z
Updated: 2024-08-04T01:37:16.572Z

Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code.

Published: 2021-10-18T12:41:14.173Z
Updated: 2024-09-16T22:24:38.131Z

Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code.

Published: 2021-10-18T12:41:08.470Z
Updated: 2024-09-17T03:49:19.278Z

WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.

Published: 2020-09-22T14:28:36.000Z
Updated: 2024-08-04T13:37:54.193Z

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.

Published: 2020-05-08T11:48:19.000Z
Updated: 2024-08-04T11:48:57.082Z

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An improper validation vulnerability exists that could allow an attacker to inject specially crafted input into memory where it can be executed.

Published: 2020-05-08T11:38:54.000Z
Updated: 2024-08-04T11:48:57.655Z

WebAccess Node Version 8.4.4 and prior is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.

Published: 2020-06-15T19:08:06.000Z
Updated: 2024-08-04T11:48:57.802Z

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An out-of-bounds vulnerability exists that may allow access to unauthorized data.

Published: 2020-05-08T11:51:50.000Z
Updated: 2024-08-04T11:48:57.609Z

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands.

Published: 2020-05-08T11:46:31.000Z
Updated: 2024-08-04T11:48:57.629Z

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow an authenticated user to use a specially crafted file to delete files outside the application’s control.

Published: 2020-05-08T11:40:22.000Z
Updated: 2024-08-04T11:48:58.249Z

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.

Published: 2020-05-08T11:41:41.000Z
Updated: 2024-08-04T11:48:57.582Z

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple stack-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.

Published: 2020-05-08T11:50:42.000Z
Updated: 2024-08-04T11:48:57.668Z

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.

Published: 2020-05-08T11:49:32.000Z
Updated: 2024-08-04T11:06:10.447Z

In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer overflow vulnerability caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.

Published: 2020-03-27T13:27:24.000Z
Updated: 2024-08-04T11:06:10.090Z

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.

Published: 2019-04-05T18:15:35.000Z
Updated: 2024-08-04T20:23:21.684Z

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution.

Published: 2019-04-05T18:02:39.000Z
Updated: 2024-08-04T20:23:22.066Z

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution.

Published: 2019-04-05T18:09:34.000Z
Updated: 2024-08-04T20:23:21.543Z

Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages.

Published: 2019-12-12T20:32:10.000Z
Updated: 2024-08-04T19:26:27.479Z

Advantech WebAccess 8.3.4 allows unauthenticated, remote attackers to delete arbitrary files via IOCTL 10005 RPC.

Published: 2019-04-09T15:06:37.000Z
Updated: 2024-08-04T19:26:27.534Z

Advantech WebAccess 8.3.4 is vulnerable to file upload attacks via unauthenticated RPC call. An unauthenticated, remote attacker can use this vulnerability to execute arbitrary code.

Published: 2019-04-09T15:05:01.000Z
Updated: 2024-08-04T19:26:27.481Z

In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash.

Published: 2019-09-18T21:14:18.000Z
Updated: 2024-08-04T23:57:39.463Z

In WebAccess versions 8.4.1 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

Published: 2019-09-18T21:05:50.000Z
Updated: 2024-08-04T23:57:39.443Z

In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.

Published: 2019-09-18T21:00:12.000Z
Updated: 2024-08-04T23:57:39.182Z

In WebAccess, versions 8.4.1 and prior, an improper authorization vulnerability may allow an attacker to disclose sensitive information, cause improper control of generation of code, which may allow remote code execution or cause a system crash.

Published: 2019-09-18T20:52:05.000Z
Updated: 2024-08-04T23:57:39.475Z

In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code.

Published: 2019-06-28T20:52:48.000Z
Updated: 2024-08-04T22:40:15.647Z

In WebAccess/SCADA, Versions 8.3.5 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

Published: 2019-06-28T20:25:56.000Z
Updated: 2024-08-04T22:40:15.589Z

In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution. Note: A different vulnerability than CVE-2019-10991.

Published: 2019-06-28T20:31:48.000Z
Updated: 2024-08-04T22:40:15.634Z

In WebAccess/SCADA Versions 8.3.5 and prior, multiple out-of-bounds write vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

Published: 2019-06-28T20:49:28.000Z
Updated: 2024-08-04T22:40:15.688Z

In WebAccess/SCADA, Versions 8.3.5 and prior, a path traversal vulnerability is caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage this vulnerability to delete files while posing as an administrator.

Published: 2019-06-28T20:05:33.000Z
Updated: 2024-08-04T22:40:15.691Z

In WebAccess/SCADA Versions 8.3.5 and prior, an out-of-bounds read vulnerability is caused by a lack of proper validation of user-supplied data. Exploitation of this vulnerability may allow disclosure of information.

Published: 2019-06-28T20:38:08.000Z
Updated: 2024-08-04T22:40:15.527Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-17T04:20:14.985Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-16T16:14:04.315Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-16T22:29:56.539Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to disclose sensitive information on the target.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-16T17:24:19.997Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-16T20:21:58.642Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several stack-based buffer overflow vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-16T20:58:20.098Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-17T01:51:04.478Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an external control of file name or path vulnerability has been identified, which may allow an attacker to delete files.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-17T02:47:10.070Z

WebAccess Versions 8.3.2 and prior. The application fails to properly validate the length of user-supplied data, causing a buffer overflow condition that allows for arbitrary remote code execution.

Published: 2018-10-29T18:00:00.000Z
Updated: 2024-08-05T11:01:14.512Z

WebAccess Versions 8.3.2 and prior. During installation, the application installer disables user access control and does not re-enable it after the installation is complete. This could allow an attacker to run elevated arbitrary code.

Published: 2018-10-29T18:00:00.000Z
Updated: 2024-08-05T11:01:14.890Z

Advantech WebAccess 8.3.2 and below is vulnerable to a stack buffer overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability by sending a crafted HTTP request to broadweb/system/opcImg.asp.

Published: 2018-10-22T19:00:00.000Z
Updated: 2024-09-16T19:15:55.882Z

Advantech WebAccess 8.3.2 and below is vulnerable to multiple reflected cross site scripting vulnerabilities. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim to supply malicious HTML or JavaScript code to WebAccess, which is then reflected back to the victim and executed by the web browser.

Published: 2018-10-22T19:00:00.000Z
Updated: 2024-09-16T19:57:33.496Z

Advantech WebAccess 8.3.1 and earlier has an improper privilege management vulnerability, which may allow an attacker to access those files and perform actions at a system administrator level.

Published: 2018-10-23T20:00:00.000Z
Updated: 2024-09-16T19:30:10.895Z

Advantech WebAccess 8.3.1 and earlier has a .dll component that is susceptible to external control of file name or path vulnerability, which may allow an arbitrary file deletion when processing.

Published: 2018-10-23T20:00:00.000Z
Updated: 2024-09-16T23:05:35.703Z

Advantech WebAccess 8.3.1 and earlier has several stack-based buffer overflow vulnerabilities that have been identified, which may allow an attacker to execute arbitrary code.

Published: 2018-10-23T20:00:00.000Z
Updated: 2024-09-17T02:01:48.026Z

Advantech WebAccess 8.3.1 and earlier has a path traversal vulnerability which may allow an attacker to execute arbitrary code.

Published: 2018-10-23T20:00:00.000Z
Updated: 2024-09-16T20:32:50.100Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been identified, which may allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-16T18:19:27.437Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an information exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-16T22:45:05.267Z

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code.

Published: 2018-05-15T22:00:00.000Z
Updated: 2024-09-17T01:20:33.098Z

An Absolute Path Traversal issue was discovered in Advantech WebAccess Version 8.1 and prior. The absolute path traversal vulnerability has been identified, which may allow an attacker to traverse the file system to access restricted files or directories.

Published: 2017-05-06T00:00:00.000Z
Updated: 2024-08-05T16:19:29.504Z

Advantech WebAccess 8.1 and earlier contains a DLL hijacking vulnerability which may allow an attacker to run a malicious DLL file within the search path resulting in execution of arbitrary code.

Published: 2018-05-09T19:00:00.000Z
Updated: 2024-09-17T02:01:34.846Z

An Improper Input Validation issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows some inputs that may cause the program to crash.

Published: 2018-01-05T08:00:00.000Z
Updated: 2024-08-05T20:35:21.034Z

An Unrestricted Upload Of File With Dangerous Type issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows a remote attacker to upload arbitrary files.

Published: 2018-01-12T02:00:00.000Z
Updated: 2024-08-05T20:35:20.670Z

A use-after-free issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows an unauthenticated attacker to specify an arbitrary address.

Published: 2018-01-12T02:00:00.000Z
Updated: 2024-08-05T20:35:20.409Z

An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple vulnerabilities that may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash.

Published: 2018-01-05T08:00:00.000Z
Updated: 2024-08-05T20:35:20.278Z

A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to 8.3. There are multiple instances of a vulnerability that allows too much data to be written to a location on the stack.

Published: 2018-01-05T08:00:00.000Z
Updated: 2024-08-05T20:35:20.312Z

A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. An attacker has access to files within the directory structure of the target device.

Published: 2018-01-05T08:00:00.000Z
Updated: 2024-08-05T20:35:20.912Z

A SQL Injection issue was discovered in WebAccess versions prior to 8.3. WebAccess does not properly sanitize its inputs for SQL commands.

Published: 2018-01-05T08:00:00.000Z
Updated: 2024-08-05T20:35:20.466Z

A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. The application lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an attacker to execute arbitrary code under the context of the process.

Published: 2017-11-06T22:00:00.000Z
Updated: 2024-08-05T19:13:41.637Z

An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. A remote attacker is able to execute code to dereference a pointer within the program causing the application to become unavailable.

Published: 2017-11-06T22:00:00.000Z
Updated: 2024-08-05T18:43:56.468Z

An Uncontrolled Search Path Element issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. A maliciously crafted dll file placed earlier in the search path may allow an attacker to execute code within the context of the application.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.462Z

An Incorrect Permission Assignment for Critical Resource issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Multiple files and folders with ACLs that affect other users are allowed to be modified by non-administrator accounts.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.614Z

An Incorrect Privilege Assignment issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. A built-in user account has been granted a sensitive privilege that may allow a user to elevate to administrative privileges.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.462Z

A SQL Injection issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. By submitting a specially crafted parameter, it is possible to inject arbitrary SQL statements that could allow an attacker to obtain sensitive information.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.619Z

An Improper Restriction Of Operations Within The Bounds Of A Memory Buffer issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Researchers have identified multiple vulnerabilities that allow invalid locations to be referenced for the memory buffer, which may allow an attacker to execute arbitrary code or cause the system to crash.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.601Z

A stack-based buffer overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Researchers have identified multiple vulnerabilities where there is a lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an attacker to execute arbitrary code under the context of the process.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.460Z

A heap-based buffer overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Researchers have identified multiple vulnerabilities where there is a lack of proper validation of the length of user-supplied data prior to copying it to the heap-based buffer, which could allow an attacker to execute arbitrary code under the context of the process.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.536Z

An Externally Controlled Format String issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. String format specifiers based on user provided input are not properly validated, which could allow an attacker to execute arbitrary code.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.457Z

An Improper Authentication issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Specially crafted requests allow a possible authentication bypass that could allow remote code execution.

Published: 2017-08-30T18:00:00.000Z
Updated: 2024-08-05T18:43:56.460Z

upAdminPg.asp in Advantech WebAccess before 8.1_20160519 allows remote authenticated administrators to obtain sensitive password information via unspecified vectors.

Published: 2017-05-02T14:00:00.000Z
Updated: 2024-08-06T01:15:10.784Z

Buffer overflow in Advantech WebAccess before 8.1_20160519 allows local users to cause a denial of service via a crafted DLL file.

Published: 2016-06-25T01:00:00.000Z
Updated: 2024-08-06T00:32:25.507Z

Unspecified ActiveX controls in Advantech WebAccess before 8.1_20160519 allow remote authenticated users to obtain sensitive information or modify data via unknown vectors, related to the INTERFACESAFE_FOR_UNTRUSTED_CALLER (aka safe for scripting) flag.

Published: 2016-06-25T01:00:00.000Z
Updated: 2024-08-06T00:32:25.717Z

Buffer overflow in the BwpAlarm subsystem in Advantech WebAccess before 8.1 allows remote attackers to cause a denial of service via a crafted RPC request.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.038Z

Integer overflow in the Kernel service in Advantech WebAccess before 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted RPC request.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.131Z

Race condition in Advantech WebAccess before 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted request.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.044Z

Multiple heap-based buffer overflows in Advantech WebAccess before 8.1 allow remote attackers to execute arbitrary code via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.129Z

Multiple stack-based buffer overflows in Advantech WebAccess before 8.1 allow remote attackers to execute arbitrary code via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.073Z

Directory traversal vulnerability in Advantech WebAccess before 8.1 allows remote attackers to list arbitrary virtual-directory files via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.047Z

Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to write to files of arbitrary types via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.068Z

Advantech WebAccess before 8.1 allows remote attackers to obtain sensitive information via crafted input.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.066Z

Advantech WebAccess before 8.1 allows remote attackers to bypass an intended administrative requirement and obtain file or folder access via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.137Z

Advantech WebAccess before 8.1 allows remote attackers to cause a denial of service (out-of-bounds memory access) via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-05T22:30:05.047Z

Advantech WebAccess before 8.1 allows remote attackers to execute arbitrary code via vectors involving a browser plugin.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-06T07:22:21.630Z

Cross-site scripting (XSS) vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-06T06:04:00.988Z

SQL injection vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-06T06:04:02.496Z

Cross-site request forgery (CSRF) vulnerability in Advantech WebAccess before 8.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-06T06:04:00.958Z

Advantech WebAccess before 8.1 allows remote attackers to read sensitive cleartext information about e-mail project accounts via unspecified vectors.

Published: 2016-01-15T02:00:00.000Z
Updated: 2024-08-06T06:04:00.942Z

Multiple stack-based buffer overflows in unspecified DLL files in Advantech WebAccess before 8.0.1 allow remote attackers to execute arbitrary code via unknown vectors.

Published: 2015-09-11T16:00:00.000Z
Updated: 2024-08-06T13:40:24.483Z

Stack-based buffer overflow in Advantech WebAccess, formerly BroadWin WebAccess, before 8.0 allows remote attackers to execute arbitrary code via a crafted ip_address parameter in an HTML document.

Published: 2014-11-21T02:00:00.000Z
Updated: 2024-08-06T13:18:48.124Z

The BrowseFolder method in the bwocxrun ActiveX control in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.

Published: 2014-07-19T01:00:00.000Z
Updated: 2025-10-06T17:46:06.036Z

The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call.

Published: 2014-07-19T01:00:00.000Z
Updated: 2025-10-06T17:48:24.247Z

upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.

Published: 2014-07-19T01:00:00.000Z
Updated: 2025-10-06T17:50:01.014Z

Unspecified vulnerability in Advantech WebAccess before 7.2 allows remote authenticated users to create or delete arbitrary files via unknown vectors.

Published: 2014-07-19T01:00:00.000Z
Updated: 2025-10-06T17:51:28.289Z

Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10) SetBaud, or (11) IPAddress parameter to an ActiveX control in (a) webvact.ocx, (b) dvs.ocx, or (c) webdact.ocx.

Published: 2014-07-19T01:00:00.000Z
Updated: 2025-10-06T17:52:36.174Z

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named “CreateProcess.” This method contains validation to ensure an attacker cannot run arbitrary command lines. After validation, the values supplied in the HTML are passed to the Windows CreateProcessA API. The validation can be bypassed allowing for running arbitrary command lines. The command line can specify running remote files (example: UNC command line). A function exists at offset 100019B0 of bwocxrun.ocx. Inside this function, there are 3 calls to strstr to check the contents of the user specified command line. If “\setup.exe,” “\bwvbprt.exe,” or “\bwvbprtl.exe” are contained in the command line (strstr returns nonzero value), the command line passes validation and is then passed to CreateProcessA.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:18:06.695Z

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named OpenUrlToBufferTimeout. This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows file:// URLs that access the local disk. The method can be used to open a URL (including file URLs) and read the URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:19:40.873Z

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named “OpenUrlToBuffer.” This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows “file://” URLs that access the local disk. The method can be used to open a URL (including file URLs) and read file URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:15:27.669Z

By providing an overly long string to the UserName parameter, an attacker may be able to overflow the static stack buffer. The attacker may then execute code on the target device remotely.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:13:29.027Z

An attacker may pass an overly long value from the AccessCode2 argument to the control to overflow the static stack buffer. The attacker may then remotely execute arbitrary code.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:12:29.569Z

An attacker may exploit this vulnerability by passing an overly long value from the AccessCode argument to the control. This will overflow the static stack buffer. The attacker may then execute code on the target device remotely.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:11:31.813Z

An attacker can exploit this vulnerability by copying an overly long NodeName2 argument into a statically sized buffer on the stack to overflow the static stack buffer. An attacker may use this vulnerability to remotely execute arbitrary code.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:10:40.843Z

To exploit this vulnerability, the attacker sends data from the GotoCmd argument to control. If the value of the argument is overly long, the static stack buffer can be overflowed. This will allow the attacker to execute arbitrary code remotely.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:09:15.893Z

By providing an overly long string to the NodeName parameter, an attacker may be able to overflow the static stack buffer. The attacker may then execute code on the target device remotely.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:08:27.053Z

An attacker using SQL injection may use arguments to construct queries without proper sanitization. The DBVisitor.dll is exposed through SOAP interfaces, and the exposed functions are vulnerable to SOAP injection. This may allow unexpected SQL action and access to records in the table of the software database or execution of arbitrary code.

Published: 2014-04-12T01:00:00.000Z
Updated: 2025-09-19T19:06:29.062Z