CVE-2023-32540
https://notcve.org/view.php?id=CVE-2023-32540
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-32628
https://notcve.org/view.php?id=CVE-2023-32628
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2021-42703 – AzeoTech DAQFactory
https://notcve.org/view.php?id=CVE-2021-42703
This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action. Esta vulnerabilidad podría permitir a un atacante enviar código Javascript malicioso resultando en el secuestro de los tokens de cookies/sesión del usuario, redirigiendo al usuario a una página web maliciosa y llevando a cabo una acción no deseada en el navegador • https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-42706 – AzeoTech DAQFactory
https://notcve.org/view.php?id=CVE-2021-42706
This vulnerability could allow an attacker to disclose information and execute arbitrary code on affected installations of WebAccess/MHI Designer Esta vulnerabilidad podría permitir a un atacante revelar información y ejecutar código arbitrario en las instalaciones afectadas de WebAccess/MHI Designer • https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 • CWE-416: Use After Free •
CVE-2021-38389 – Advantech WebAccess
https://notcve.org/view.php?id=CVE-2021-38389
Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code. Advantech WebAccess versiones 9.02 y anteriores, son vulnerables a un desbordamiento del búfer en la región stack de la memoria, que podría permitir a un atacante ejecutar código de forma remota This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of IOCTL 0x1138B. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator. • https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •