CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22676
https://notcve.org/view.php?id=CVE-2021-22676
UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). El archivo UserExcelOut.asp dentro de WebAccess/SCADA es vulnerable a un ataque de tipo cross-site scripting (XSS), que podría permitir a un atacante enviar código JavaScript malicioso. Esto podría resultar en el secuestro de los tokens de cookies/sesión, la redirección a una página web maliciosa, y la acción involuntaria del navegador en el WebAccess/SCADA (WebAccess/SCADA versiones anteriores a 8.4.5, WebAccess/SCADA versiones anteriores a 9.0.1) • https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22674
https://notcve.org/view.php?id=CVE-2021-22674
The affected product is vulnerable to a relative path traversal condition, which may allow an attacker access to unauthorized files and directories on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). El producto afectado es vulnerable a una condición de salto de ruta relativa, que puede permitir a un atacante acceder a archivos y directorios no autorizados en el WebAccess/SCADA (WebAccess/SCADA versiones anteriores a 8.4.5, WebAccess/SCADA versiones anteriores a 9.0.1) • https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 10.0EPSS: 96%CPEs: 1EXPL: 1CVE-2021-21805
https://notcve.org/view.php?id=CVE-2021-21805
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability. Se presenta una vulnerabilidad de inyección de comandos en el sistema operativo en la funcionalidad del script ping.php de Advantech R-SeeNet versión v2.4.12 (20.10.2020). Una petición HTTP especialmente diseñada puede conllevar a una ejecución de comandos arbitrario del sistema operativo. • https://talosintelligence.com/vulnerability_reports/TALOS-2021-1274 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32951 – Advantech WebAccess/NMS Improper Authentication
https://notcve.org/view.php?id=CVE-2021-32951
WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS. WebAccess/NMS (versiones anteriores a v3.0.3_Build6299) presenta una vulnerabilidad de autenticación inapropiada, que puede permitir a usuarios no autorizados visualizar los recursos supervisados y controlados por WebAccess/NMS, así como las direcciones IP y los nombres de todos los dispositivos gestionados por medio de WebAccess/NMS This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of the DashBoardAction endpoint of the web server. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose information from the application. • https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02 • CWE-287: Improper Authentication •
CVSS: 9.6EPSS: 80%CPEs: 1EXPL: 1CVE-2021-21803
https://notcve.org/view.php?id=CVE-2021-21803
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. Esta vulnerabilidad está presente en el script del archivo device_graph_page.php, que forma parte de las aplicaciones web de Advantech R-SeeNet. Una URL especialmente diseñada por un atacante y visitada por una víctima puede conllevar a una ejecución de código JavaScript arbitrario • https://talosintelligence.com/vulnerability_reports/TALOS-2021-1272 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •