CVSS: 6.5EPSS: 3%CPEs: 1EXPL: 0CVE-2019-18229 – Advantech WISE-PaaS/RMM SQLMgmt insertData SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-18229
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Una falta de saneamiento de la entrada suministrada por el usuario causa vulnerabilidades de inyección SQL. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-937 https://www.zerodayinitiative.com/advisories/ZDI-19-938 https://www.zerodayinitiative.com/advisories/ZDI-19-940 https://www.zerodayinitiative.com/advisories/ZDI-19-948 https://www.zerodayinitiative.com/advisories/ZDI-19-949 https://www.zerodayinitiative.com/advisories/ZDI-19-951 https://www.zerodayinitiative.com/advisories/ZDI-19-952 https://www.zerodayinitiative.com/advisories/ZDI-19&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2019-18227 – Advantech WISE-PaaS/RMM RecoveryMgmt checkSN XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-18227
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Se presentan vulnerabilidades de tipo XXE que pueden permitir una divulgación de datos confidenciales. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WISE-PasS/RMM. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-936 https://www.zerodayinitiative.com/advisories/ZDI-19-939 https://www.zerodayinitiative.com/advisories/ZDI-19-942 https://www.zerodayinitiative.com/advisories/ZDI-19-943 https://www.zerodayinitiative.com/advisories/ZDI-19-944 https://www.zerodayinitiative.com/advisories/ZDI-19-945 https://www.zerodayinitiative.com/advisories/ZDI-19-946 https://www.zerodayinitiative.com/advisories/ZDI-19&# • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2019-13547 – Advantech WISE-PaaS/RMM NodeRed Server Missing Authentication Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13547
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecured function that allows anyone who can access the IP address to use the function without authentication. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Se presenta una función no segura que permite a cualquiera que pueda acceder a la dirección IP usar la función sin autenticación. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WISE-PaaS/RMM. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-960 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2019-13551 – Advantech WISE-PaaS/RMM UpgradeMgmt Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13551
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Path traversal vulnerabilities are caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage these vulnerabilities to remotely execute code while posing as an administrator. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Las vulnerabilidades de salto de ruta son causadas por la falta de comprobación apropiada de una ruta suministrada por el usuario antes de su uso en las operaciones de archivo. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-935 https://www.zerodayinitiative.com/advisories/ZDI-19-941 https://www.zerodayinitiative.com/advisories/ZDI-19-950 https://www.zerodayinitiative.com/advisories/ZDI-19-958 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16899
https://notcve.org/view.php?id=CVE-2019-16899
In Advantech WebAccess/HMI Designer 2.1.9.31, Data from a Faulting Address controls Code Flow starting at PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918. En Advantech WebAccess/HMI Designer versión 2.1.9.31, los Datos desde una Dirección en Fallo controlan el Flujo de Código que inicia en PM_V3!CTagInfoThreadBase::GetNICInfo+0x0000000000512918. • http://code610.blogspot.com/2019/09/crashing-webaccesshmi-designer-21931.html •