CVSS: 9.4EPSS: 4%CPEs: 1EXPL: 0CVE-2017-12710 – Advantech WebAccess rmTemplate SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2017-12710
A SQL Injection issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. By submitting a specially crafted parameter, it is possible to inject arbitrary SQL statements that could allow an attacker to obtain sensitive information. Se descubrió una vulnerabilidad de inyección SQL en Advantech WebAccess en versiones anteriores a la V8.2_20170817. Al enviar un parámetro especialmente manipulado, es posible inyectar declaraciones SQL que podrían permitir a un atacante obtener información sensible. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Advantech WebAccess. • http://www.securityfocus.com/bid/100526 http://www.zerodayinitiative.com/advisories/ZDI-17-712 https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02 https://www.tenable.com/security/research/tra-2017-29 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12713 – Advantech WebAccess Product Installation File Access Control Modification Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2017-12713
An Incorrect Permission Assignment for Critical Resource issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Multiple files and folders with ACLs that affect other users are allowed to be modified by non-administrator accounts. Se descubrió una vulnerabilidad de asignación incorrecta de privilegios en Advantech WebAccess en versiones anteriores a la V8.2_20170817. Se permite que cuentas que no son administradores modifiquen múltiples archivos y carpetas con listas de control de acceso que afecten a otros usuarios. This vulnerability allows local attackers to escalate privilege on vulnerable installations of Advantech WebAccess. • http://www.securityfocus.com/bid/100526 https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12705 – Advantech WebOP Designer Project File Heap Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2017-12705
A Heap-Based Buffer Overflow issue was discovered in Advantech WebOP. A maliciously crafted project file may be able to trigger a heap-based buffer overflow, which may crash the process and allow an attacker to execute arbitrary code. Se ha descubierto un problema de desbordamiento de búfer basado en memoria dinámica (heap) en Advantech WebOP. Un archivo de proyecto manipulado con fines maliciosos puede desencadenar un desbordamiento de búfer basado en memoria dinámica (heap), lo que puede provocar el cierre inesperado del proceso y permitir que un atacante ejecute código arbitrario. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebOP Designer. • http://www.securityfocus.com/bid/99476 https://ics-cert.us-cert.gov/advisories/ICSA-17-227-01 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-7909
https://notcve.org/view.php?id=CVE-2017-7909
A Use of Client-Side Authentication issue was discovered in Advantech B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web interface uses JavaScript to check client authentication and redirect unauthorized users. Attackers may intercept requests and bypass authentication to access restricted web pages. Un problema de uso de autenticación del lado del cliente se detectó en B+B SmartWorx MESR901 versiones de firmwares 1.5.2 y anteriores de Advantech. La interfaz web utiliza JavaScript para comprobar la autenticación de cliente y redireccionar a los usuarios no autorizados. • http://www.securityfocus.com/bid/98257 https://ics-cert.us-cert.gov/advisories/ICSA-17-122-03 • CWE-287: Improper Authentication CWE-603: Use of Client-Side Authentication •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7929 – Advantech WebAccess odbcPg4 Absolute Path Traversal File Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2017-7929
An Absolute Path Traversal issue was discovered in Advantech WebAccess Version 8.1 and prior. The absolute path traversal vulnerability has been identified, which may allow an attacker to traverse the file system to access restricted files or directories. Se detectó un problema de Salto de Ruta (Path) Absoluto en WebAccess Versión 8.1 y anteriores. Se ha identificado la vulnerabilidad de salto de ruta (path) absoluta, que puede permitir a un atacante atravesar el sistema de archivos para acceder a archivos o directorios restringidos. This vulnerability allows remote attackers to cause a denial of service condition on vulnerable installations of Advantech WebAccess. • http://www.securityfocus.com/bid/98311 https://ics-cert.us-cert.gov/advisories/ICSA-17-124-03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-36: Absolute Path Traversal •