
CVE-2024-2453 – Advantech WebAccess/SCADA SQL Injection
https://notcve.org/view.php?id=CVE-2024-2453
21 Mar 2024 — There is an SQL injection vulnerability in Advantech WebAccess/SCADA software that allows an authenticated attacker to remotely inject SQL code in the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database. Existe una vulnerabilidad de inyección SQL en el software Advantech WebAccess/SCADA que permite a un atacante autenticado inyectar código SQL de forma remota en la base de datos. La explotación exitosa de esta vulnerabilidad podría pe... • https://www.cisa.gov/news-events/ics-advisories/icsa-24-081-01 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2023-1437 – CVE-2023-1437
https://notcve.org/view.php?id=CVE-2023-1437
02 Aug 2023 — All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-166-02 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-822: Untrusted Pointer Dereference •

CVE-2023-22450
https://notcve.org/view.php?id=CVE-2023-22450
05 Jun 2023 — In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2023-32540
https://notcve.org/view.php?id=CVE-2023-32540
05 Jun 2023 — In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2023-32628
https://notcve.org/view.php?id=CVE-2023-32628
05 Jun 2023 — In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2021-38431 – Advantech WebAccess SCADA
https://notcve.org/view.php?id=CVE-2021-38431
15 Oct 2021 — An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users. Un usuario autenticado usando Advantech WebAccess SCADA en versiones 9.0.3 y anteriores, puede usar funciones de la API para revelar nombres de proyectos y rutas de otros usuarios • https://us-cert.cisa.gov/ics/advisories/icsa-21-285-01 • CWE-862: Missing Authorization •

CVE-2021-32943
https://notcve.org/view.php?id=CVE-2021-32943
10 Aug 2021 — The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). El producto afectado es vulnerable a un desbordamiento del búfer en la región stack de la memoria, que puede permitir a un atacante ejecutar remotamente código arbitrario en el WebAccess/SCADA (WebAccess/SCADA versiones anteriores a 8.4.5, WebAccess/SCADA versiones anterio... • https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •

CVE-2021-22676
https://notcve.org/view.php?id=CVE-2021-22676
10 Aug 2021 — UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). El archivo UserExcelOut.asp dentro de WebAccess/SCADA es vulnerable a un ataque de tipo cross-site scripting (XSS), que podría permi... • https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2021-22674
https://notcve.org/view.php?id=CVE-2021-22674
10 Aug 2021 — The affected product is vulnerable to a relative path traversal condition, which may allow an attacker access to unauthorized files and directories on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1). El producto afectado es vulnerable a una condición de salto de ruta relativa, que puede permitir a un atacante acceder a archivos y directorios no autorizados en el WebAccess/SCADA (WebAccess/SCADA versiones anteriores a 8.4.5, WebAccess/SCADA versiones ant... • https://us-cert.cisa.gov/ics/advisories/icsa-21-217-04 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •

CVE-2021-32954
https://notcve.org/view.php?id=CVE-2021-32954
18 Jun 2021 — Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system. Advantech WebAccess/SCADA Versiones 9.0.1 y anteriores, es vulnerable a un salto de directorio, que puede permitir a un atacante leer remotamente archivos arbitrarios en el sistema de archivos • https://us-cert.cisa.gov/ics/advisories/icsa-21-168-03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •