CVE-2023-4215 – Advantech WebAccess Debug Messages Revealing Unnecessary Information
https://notcve.org/view.php?id=CVE-2023-4215
Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials. Advantech WebAccess versión 9.1.3 contiene una exposición de información confidencial a una vulnerabilidad de un actor no autorizado que podría filtrar las credenciales del usuario. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-15 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-1295: Debug Messages Revealing Unnecessary Information •
CVE-2021-38408 – Advantech WebAccess BwFLApp Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-38408
A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution. Una vulnerabilidad de desbordamiento de búfer en la región stack de la memoria en Advantech WebAccess versiones 9.02 y anteriores, causada por una falta de comprobación apropiada de la longitud de los datos suministrados por el usuario puede permitir una ejecución de código remota This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of IOCTL 0x2711, which can be used to invoke BwFLApp.exe. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. • https://us-cert.cisa.gov/ics/advisories/icsa-21-245-03 • CWE-121: Stack-based Buffer Overflow •
CVE-2016-5817
https://notcve.org/view.php?id=CVE-2016-5817
SQL injection vulnerability in news pages in Cargotec Navis WebAccess before 2016-08-10 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en páginas de noticias en Cargotec Navis WebAccess en versiones anteriores a 2016-08-10 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • https://ics-cert.us-cert.gov/advisories/ICSA-16-231-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •