CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32951 – Advantech WebAccess/NMS Improper Authentication
https://notcve.org/view.php?id=CVE-2021-32951
19 Jul 2021 — WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS. WebAccess/NMS (versiones anteriores a v3.0.3_Build6299) presenta una vulnerabilidad de autenticación inapropiada, que puede permitir a usuarios no autorizados visualizar los recursos supervisados y controlados por WebAccess/NMS, así co... • https://us-cert.cisa.gov/ics/advisories/icsa-21-229-02 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10603 – Advantech WebAccess/NMS DatabaseMgmtResource OS Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-10603
08 Apr 2020 — WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system commands remotely. WebAccess/NMS (versiones anteriores a 3.0.2), no sanea apropiadamente una entrada del usuario y puede permitir a un atacante inyectar comandos del sistema remotamente. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/NMS. Although authentication is required to exploit this vulnerability, the existing a... • https://www.us-cert.gov/ics/advisories/icsa-20-098-01 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10617 – Advantech WebAccess/NMS addLinkMonitor SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-10617
08 Apr 2020 — There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information. Se presenta múltiples maneras en que un atacante no autenticado podría llevar a cabo una inyección SQL en WebAccess/NMS (versiones anteriores a 3.0.2) para conseguir acceso a información confidencial. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. Authentication i... • https://www.us-cert.gov/ics/advisories/icsa-20-098-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2020-10619 – Advantech WebAccess/NMS saveBackgroundAction Directory Traversal Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2020-10619
08 Apr 2020 — An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) control. Un atacante podría usar una URL especialmente diseñada para eliminar archivos fuera del control de WebAccess/NMS (versiones anteriores a 3.0.2). This vulnerability allows remote attackers to delete arbitary files on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to... • https://www.us-cert.gov/ics/advisories/icsa-20-098-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10621 – Advantech WebAccess/NMS ProfileResource Unrestricted File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-10621
08 Apr 2020 — Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2). Se presentan múltiples problemas que permiten que los archivos se carguen y ejecuten en WebAccess/NMS (versiones anteriores a 3.0.2). This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the importprofile e... • https://www.us-cert.gov/ics/advisories/icsa-20-098-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10623 – Advantech WebAccess/NMS setDevicechoose SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-10623
08 Apr 2020 — Multiple vulnerabilities could allow an attacker with low privileges to perform SQL injection on WebAccess/NMS (versions prior to 3.0.2) to gain access to sensitive information. Múltiples vulnerabilidades podrían permitir a un atacante con pocos privilegios llevar a cabo una inyección SQL en WebAccess/NMS (versiones anteriores a 3.0.2) para conseguir acceso a información confidencial. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAcces... • https://www.us-cert.gov/ics/advisories/icsa-20-098-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10625 – Advantech WebAccess/NMS UsersInputAction Missing Authentication for Critical Function Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-10625
08 Apr 2020 — WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remote user to create a new admin account. WebAccess/NMS (versiones anteriores a 3.0.2), permite a un usuario no autenticado remoto crear una nueva cuenta de administrador. This vulnerability allows remote attackers to bypass authentication on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the usersInputAction.action en... • https://www.us-cert.gov/ics/advisories/icsa-20-098-01 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10629 – Advantech WebAccess/NMS MibbrowserTrapAddAction XML External Entity Reference Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2020-10629
08 Apr 2020 — WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files. WebAccess/NMS (versiones anteriores a 3.0.2), no sanea una entrada XML. La entrada XML especialmente diseñada podría permitir a un atacante leer archivos confidenciales. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WebAccess/NMS. • https://www.us-cert.gov/ics/advisories/icsa-20-098-01 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10631 – Advantech WebAccess/NMS download.jsp Directory Traversal Information Disclosure and Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2020-10631
08 Apr 2020 — An attacker could use a specially crafted URL to delete or read files outside the WebAccess/NMS's (versions prior to 3.0.2) control. Un atacante podría usar una URL especialmente diseñada para eliminar o leer archivos fuera del control de WebAccess/NMS (versiones anteriores a 3.0.2). This vulnerability allows remote attackers to disclose sensitive information and delete arbitrary files on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability. The spe... • https://www.us-cert.gov/ics/advisories/icsa-20-098-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-10590
https://notcve.org/view.php?id=CVE-2018-10590
15 May 2018 — In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an information exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible. En Advantech WebAccess en versiones V8.2_20170817 y anteriores, WebAccess en versiones V8.3.0 y anteriores, WebAccess Da... • http://www.securityfocus.com/bid/104190 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory CWE-548: Exposure of Information Through Directory Listing •