
CVE-2024-2453 – Advantech WebAccess/SCADA SQL Injection
https://notcve.org/view.php?id=CVE-2024-2453
21 Mar 2024 — There is an SQL injection vulnerability in Advantech WebAccess/SCADA software that allows an authenticated attacker to remotely inject SQL code in the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database. Existe una vulnerabilidad de inyección SQL en el software Advantech WebAccess/SCADA que permite a un atacante autenticado inyectar código SQL de forma remota en la base de datos. La explotación exitosa de esta vulnerabilidad podría pe... • https://www.cisa.gov/news-events/ics-advisories/icsa-24-081-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2023-4215 – Advantech WebAccess Debug Messages Revealing Unnecessary Information
https://notcve.org/view.php?id=CVE-2023-4215
16 Oct 2023 — Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials. Advantech WebAccess versión 9.1.3 contiene una exposición de información confidencial a una vulnerabilidad de un actor no autorizado que podría filtrar las credenciales del usuario. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-15 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-1295: Debug Messages Revealing Unnecessary Information •

CVE-2023-1437 – CVE-2023-1437
https://notcve.org/view.php?id=CVE-2023-1437
02 Aug 2023 — All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-166-02 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-822: Untrusted Pointer Dereference •

CVE-2023-2866 – Advantech WebAccess Insufficient Type Distinction
https://notcve.org/view.php?id=CVE-2023-2866
07 Jun 2023 — If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01 • CWE-345: Insufficient Verification of Data Authenticity CWE-351: Insufficient Type Distinction •

CVE-2023-22450
https://notcve.org/view.php?id=CVE-2023-22450
05 Jun 2023 — In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2023-32540
https://notcve.org/view.php?id=CVE-2023-32540
05 Jun 2023 — In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2023-32628
https://notcve.org/view.php?id=CVE-2023-32628
05 Jun 2023 — In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2021-42703 – AzeoTech DAQFactory
https://notcve.org/view.php?id=CVE-2021-42703
15 Nov 2021 — This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action. Esta vulnerabilidad podría permitir a un atacante enviar código Javascript malicioso resultando en el secuestro de los tokens de cookies/sesión del usuario, redirigiendo al usuario a una página web maliciosa y llevando a cabo una acción no deseada en el navegador • https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2021-42706 – AzeoTech DAQFactory
https://notcve.org/view.php?id=CVE-2021-42706
15 Nov 2021 — This vulnerability could allow an attacker to disclose information and execute arbitrary code on affected installations of WebAccess/MHI Designer Esta vulnerabilidad podría permitir a un atacante revelar información y ejecutar código arbitrario en las instalaciones afectadas de WebAccess/MHI Designer • https://us-cert.cisa.gov/ics/advisories/icsa-21-173-01 • CWE-416: Use After Free •

CVE-2021-38389 – Advantech WebAccess
https://notcve.org/view.php?id=CVE-2021-38389
18 Oct 2021 — Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code. Advantech WebAccess versiones 9.02 y anteriores, son vulnerables a un desbordamiento del búfer en la región stack de la memoria, que podría permitir a un atacante ejecutar código de forma remota This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess. Authentication is not required to exploit this vuln... • https://us-cert.cisa.gov/ics/advisories/icsa-21-285-02 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •