Advantech WebAccess openWidget Script Path Traversal Remote File Disclosure

Medium Nessus Plugin ID 88839


The remote host has a web application that is affected by a file disclosure vulnerability.


The Advantech WebAccess web server running on the remote host is affected by a file disclosure vulnerability in the WebAccess Dashboard Viewer due to a failure to properly sanitize user-supplied input to the openWidget script. An unauthenticated, remote attacker can exploit this, via path traversal, to read the content of arbitrary files on the WebAccess server.

Note that this Advantech WebAccess web server is reportedly affected by other vulnerabilities as well; however, Nessus has not tested for these.


Upgrade to Advantech WebAccess version 8.1-2015.12.30 or later.

See Also

Plugin Details

Severity: Medium

ID: 88839

File Name: scada_advantech_webaccess_cve-2016-0855.nbin

Version: $Revision: 1.21 $

Type: remote

Family: SCADA

Published: 2016/02/18

Modified: 2018/01/29

Dependencies: 73645

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:advantech:webaccess

Required KB Items: www/scada_advantech_webaccess

Exploited by Nessus: true

Patch Publication Date: 2015/12/30

Vulnerability Publication Date: 2016/01/14

Reference Information

CVE: CVE-2016-0855

BID: 80745

OSVDB: 134162

ICSA: 16-014-01

ZDI: ZDI-16-126