CVE-2021-22674
https://notcve.org/view.php?id=CVE-2021-22674
The affected product is vulnerable to a relative path traversal condition, which may allow an attacker access to unauthorized files and directories on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). El producto afectado es vulnerable a una condición de salto de ruta relativa, que puede permitir a un atacante acceder a archivos y directorios no autorizados en el WebAccess/SCADA (WebAccess/SCADA versiones anteriores a 8.4.5, WebAccess/SCADA versiones anteriores a 9.0.1) • https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVE-2021-32951 – Advantech WebAccess/NMS Improper Authentication
https://notcve.org/view.php?id=CVE-2021-32951
WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS. WebAccess/NMS (versiones anteriores a v3.0.3_Build6299) presenta una vulnerabilidad de autenticación inapropiada, que puede permitir a usuarios no autorizados visualizar los recursos supervisados y controlados por WebAccess/NMS, así como las direcciones IP y los nombres de todos los dispositivos gestionados por medio de WebAccess/NMS This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of the DashBoardAction endpoint of the web server. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose information from the application. • https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02 • CWE-287: Improper Authentication •
CVE-2021-33002 – Advantech WebAccess/HMI Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-33002
Opening a maliciously crafted project file may cause an out-of-bounds write, which may allow an attacker to execute arbitrary code. User interaction is require on the WebAccess HMI Designer (versions 2.1.9.95 and prior). Abriendo un archivo de proyecto diseñado maliciosamente puede causar una escritura fuera de límites, que puede permitir a un atacante ejecutar código arbitrario. Es requerida una interacción del usuario en el WebAccess HMI Designer (versiones 2.1.9.95 y anteriores) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/HMI Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PM3 files. • https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 • CWE-787: Out-of-bounds Write •
CVE-2021-33004 – Advantech WebAccess/HMI Designer PM3 File Parsing Memory Corruption Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-33004
The affected product is vulnerable to memory corruption condition due to lack of proper validation of user supplied files, which may allow an attacker to execute arbitrary code. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior). El producto afectado es vulnerable a una condición de corrupción de memoria debido a una falta de comprobación apropiada de los archivos suministrados por el usuario, que puede permitir a un atacante ejecutar código arbitrario. Es requerida una interacción del usuario en el WebAccess HMI Designer (versiones 2.1.9.95 y anteriores) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/HMI Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PM3 files. • https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVE-2021-32954
https://notcve.org/view.php?id=CVE-2021-32954
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system. Advantech WebAccess/SCADA Versiones 9.0.1 y anteriores, es vulnerable a un salto de directorio, que puede permitir a un atacante leer remotamente archivos arbitrarios en el sistema de archivos • https://us-cert.cisa.gov/ics/advisories/icsa-21-168-03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •