// For flags

CVE-2014-0772

Advantech WebAccess bwocxrun.ocx OpenUrlToBufferTimeout Information Disclosure Vulnerability

Severity Score

5.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The OpenUrlToBufferTimeout method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX control in bwocxrun.ocx in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a file: URL.

El método OpenUrlToBufferTimeout en el control BWOCXRUN.BwocxrunCtrl.1 ActiveX en bwocxrun.ocx en Advantech WebAccess anterior a 7.2 permite a atacantes remotos leer archivos arbitrarios a través de un fichero: URL.

This vulnerability allows remote attackers to access arbitrary files on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the bwocxrun.ocx cntrol. The control exposes a method 'OpenBufferToUrlTimeout' which allows an attacker to access the contents of an arbitrary URL (including a file URL). An attacker can use this to access any file on the system or the content of any remote URL which is accessible in the current context of the browser.

*Credits: Anonymous
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-01-02 CVE Reserved
  • 2014-04-12 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-10-28 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
URL Tag Source
http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03 Us Government Resource
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Advantech
Search vendor "Advantech"
Advantech Webaccess
Search vendor "Advantech" for product "Advantech Webaccess"
<= 7.1
Search vendor "Advantech" for product "Advantech Webaccess" and version " <= 7.1"
-
Affected
Advantech
Search vendor "Advantech"
Advantech Webaccess
Search vendor "Advantech" for product "Advantech Webaccess"
5.0
Search vendor "Advantech" for product "Advantech Webaccess" and version "5.0"
-
Affected
Advantech
Search vendor "Advantech"
Advantech Webaccess
Search vendor "Advantech" for product "Advantech Webaccess"
6.0
Search vendor "Advantech" for product "Advantech Webaccess" and version "6.0"
-
Affected
Advantech
Search vendor "Advantech"
Advantech Webaccess
Search vendor "Advantech" for product "Advantech Webaccess"
7.0
Search vendor "Advantech" for product "Advantech Webaccess" and version "7.0"
-
Affected