CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-12026 – Advantech WebAccess/SCADA DrawSrv IOCTL 0x0000277d Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-12026
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. Advantech WebAccess Node, versiones 8.4.4 y anteriores, versión 9.0.0. Se presentan múltiples vulnerabilidades de salto de ruta relativa que puede permitir a un usuario con poco privilegio sobrescribir archivos fuera del control de la aplicación. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess/SCADA. • https://www.us-cert.gov/ics/advisories/icsa-20-128-01 https://www.zerodayinitiative.com/advisories/ZDI-20-626 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2020-12014 – Advantech WebAccess/SCADA BwWebSvc IOCTL 0x00013c76 IOCTL 0x00013c77 SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-12014
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands. Advantech WebAccess Node, versiones 8.4.4 y anteriores, versión 9.0.0. Una entrada no está apropiadamente saneada y puede permitir a un atacante inyectar comandos SQL. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/SCADA. • https://www.us-cert.gov/ics/advisories/icsa-20-128-01 https://www.zerodayinitiative.com/advisories/ZDI-20-613 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2020-12006 – Advantech WebAccess/SCADA DrawSrv IOCTL 0x00002711 Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-12006
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. Advantech WebAccess Node, versiones 8.4.4 y anteriores, versión 9.0.0. Se presentan múltiples vulnerabilidades de salto de ruta relativa que pueden permitir a un usuario con poco privilegio sobrescribir archivos fuera del control de la aplicación. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/SCADA. • https://www.us-cert.gov/ics/advisories/icsa-20-128-01 https://www.zerodayinitiative.com/advisories/ZDI-20-589 https://www.zerodayinitiative.com/advisories/ZDI-20-595 https://www.zerodayinitiative.com/advisories/ZDI-20-605 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2020-12010 – Advantech WebAccess IOCTL 0x2738 Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2020-12010
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow an authenticated user to use a specially crafted file to delete files outside the application’s control. Advantech WebAccess Node, versiones 8.4.4 y anteriores, versión 9.0.0. Se presentan múltiples vulnerabilidades de salto de ruta relativa que pueden permitir a un usuario autenticado usar un archivo especialmente diseñado para eliminar archivos fuera del control de la aplicación. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Advantech WebAccess. • https://www.us-cert.gov/ics/advisories/icsa-20-128-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5817
https://notcve.org/view.php?id=CVE-2016-5817
SQL injection vulnerability in news pages in Cargotec Navis WebAccess before 2016-08-10 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en páginas de noticias en Cargotec Navis WebAccess en versiones anteriores a 2016-08-10 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • https://ics-cert.us-cert.gov/advisories/ICSA-16-231-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •