CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27437
https://notcve.org/view.php?id=CVE-2021-27437
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0.1). El producto afectado permite a atacantes obtener información confidencial del panel de WISE-PaaS. El sistema contiene un nombre de usuario y una contraseña de administrador embebido que pueden ser utilizados para consultar las API de Grafana. • https://us-cert.cisa.gov/ics/advisories/icsa-21-124-01 • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.5EPSS: 4%CPEs: 1EXPL: 0CVE-2019-18229 – Advantech WISE-PaaS/RMM SQLMgmt insertData SQL Injection Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-18229
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Una falta de saneamiento de la entrada suministrada por el usuario causa vulnerabilidades de inyección SQL. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-937 https://www.zerodayinitiative.com/advisories/ZDI-19-938 https://www.zerodayinitiative.com/advisories/ZDI-19-940 https://www.zerodayinitiative.com/advisories/ZDI-19-948 https://www.zerodayinitiative.com/advisories/ZDI-19-949 https://www.zerodayinitiative.com/advisories/ZDI-19-951 https://www.zerodayinitiative.com/advisories/ZDI-19-952 https://www.zerodayinitiative.com/advisories/ZDI-19&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18227 – Advantech WISE-PaaS/RMM RecoveryMgmt checkSN XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2019-18227
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. XXE vulnerabilities exist that may allow disclosure of sensitive data. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Se presentan vulnerabilidades de tipo XXE que pueden permitir una divulgación de datos confidenciales. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech WISE-PasS/RMM. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-936 https://www.zerodayinitiative.com/advisories/ZDI-19-939 https://www.zerodayinitiative.com/advisories/ZDI-19-942 https://www.zerodayinitiative.com/advisories/ZDI-19-943 https://www.zerodayinitiative.com/advisories/ZDI-19-944 https://www.zerodayinitiative.com/advisories/ZDI-19-945 https://www.zerodayinitiative.com/advisories/ZDI-19-946 https://www.zerodayinitiative.com/advisories/ZDI-19&# • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13547 – Advantech WISE-PaaS/RMM NodeRed Server Missing Authentication Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13547
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. There is an unsecured function that allows anyone who can access the IP address to use the function without authentication. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Se presenta una función no segura que permite a cualquiera que pueda acceder a la dirección IP usar la función sin autenticación. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WISE-PaaS/RMM. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-960 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13551 – Advantech WISE-PaaS/RMM UpgradeMgmt Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-13551
Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Path traversal vulnerabilities are caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage these vulnerabilities to remotely execute code while posing as an administrator. Advantech WISE-PaaS/RMM, versiones 3.3.29 y anteriores. Las vulnerabilidades de salto de ruta son causadas por la falta de comprobación apropiada de una ruta suministrada por el usuario antes de su uso en las operaciones de archivo. • https://www.us-cert.gov/ics/advisories/icsa-19-304-01 https://www.zerodayinitiative.com/advisories/ZDI-19-935 https://www.zerodayinitiative.com/advisories/ZDI-19-941 https://www.zerodayinitiative.com/advisories/ZDI-19-950 https://www.zerodayinitiative.com/advisories/ZDI-19-958 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •