CVSS: 9.8EPSS: 8%CPEs: 1EXPL: 0CVE-2019-18257 – Advantech DiagAnywhere FOLDER_REMOVE Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-18257
In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, multiple stack-based buffer overflow vulnerabilities exist in the file transfer service listening on the TCP port. Successful exploitation could allow an unauthenticated attacker to execute arbitrary code with the privileges of the user running DiagAnywhere Server. En Advantech DiagAnywhere Server, versiones 3.07.11 y anteriores, existen múltiples vulnerabilidades de desbordamiento de búfer en la región stack de la memoria en el servicio de transferencia de archivos que escucha sobre el puerto TCP. Una explotación con éxito podría permitir a un atacante no autenticado ejecutar código arbitrario con los privilegios del usuario que ejecuta DiagAnywhere Server. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech DiagAnywhere. • https://www.us-cert.gov/ics/advisories/icsa-19-346-01 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-3951
https://notcve.org/view.php?id=CVE-2019-3951
Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages. Advantech WebAccess versiones anteriores a 8.4.3, permite a atacantes remotos no autenticados ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria) debido a un desbordamiento del búfer en la región stack de la memoria al manejar mensajes IOCTL 70533 RPC. • https://www.tenable.com/security/research/tra-2019-52 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 4%CPEs: 1EXPL: 0CVE-2019-18229 – Advantech WISE-PaaS/RMM SQLMgmt insertData SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-18229
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Una falta de saneamiento de la entrada suministrada por el usuario causa vulnerabilidades de inyección SQL. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-937 https://www.zerodayinitiative.com/advisories/ZDI-19-938 https://www.zerodayinitiative.com/advisories/ZDI-19-940 https://www.zerodayinitiative.com/advisories/ZDI-19-948 https://www.zerodayinitiative.com/advisories/ZDI-19-949 https://www.zerodayinitiative.com/advisories/ZDI-19-951 https://www.zerodayinitiative.com/advisories/ZDI-19-952 https://www.zerodayinitiative.com/advisories/ZDI-19&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18227 – Advantech WISE-PaaS/RMM RecoveryMgmt checkSN XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-18227
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Se presentan vulnerabilidades de tipo XXE que pueden permitir una divulgación de datos confidenciales. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WISE-PasS/RMM. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-936 https://www.zerodayinitiative.com/advisories/ZDI-19-939 https://www.zerodayinitiative.com/advisories/ZDI-19-942 https://www.zerodayinitiative.com/advisories/ZDI-19-943 https://www.zerodayinitiative.com/advisories/ZDI-19-944 https://www.zerodayinitiative.com/advisories/ZDI-19-945 https://www.zerodayinitiative.com/advisories/ZDI-19-946 https://www.zerodayinitiative.com/advisories/ZDI-19&# • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13547 – Advantech WISE-PaaS/RMM NodeRed Server Missing Authentication Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13547
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecured function that allows anyone who can access the IP address to use the function without authentication. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Se presenta una función no segura que permite a cualquiera que pueda acceder a la dirección IP usar la función sin autenticación. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WISE-PaaS/RMM. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-960 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •