CVE-2023-22450
https://notcve.org/view.php?id=CVE-2023-22450
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-32540
https://notcve.org/view.php?id=CVE-2023-32540
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-32628
https://notcve.org/view.php?id=CVE-2023-32628
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-2573 – Authenticated Command Injection
https://notcve.org/view.php?id=CVE-2023-2573
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request. Advantech EKI-1524-CE series, EKI-1522 series, and EKI-1521 series suffer from command injection and buffer overflow vulnerabilities. • http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html http://seclists.org/fulldisclosure/2023/May/4 https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2023-2574 – Authenticated Command Injection
https://notcve.org/view.php?id=CVE-2023-2574
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request. Advantech EKI-1524-CE series, EKI-1522 series, and EKI-1521 series suffer from command injection and buffer overflow vulnerabilities. • http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html http://seclists.org/fulldisclosure/2023/May/4 https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •