Advantech WebAccess < 7.0-2011.12.20 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9955

Synopsis

The detected version of Advantech WebAccess may be affected by multiple attack vectors.

Description

The installed version of Advantech WebAccess is prior to 7.0-2011.12.20 and is affected by the following vulnerabilities :

- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate unspecified input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 124949)
- Multiple flaws exist that may allow carrying out SQL injection attacks as unspecified input is not properly sanitized. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (OSVDB 124950)

Solution

Upgrade to Advantech WebAccess version 7.0-2011.12.20 or later.

See Also

http://advantech.vo.llnwd.net/o35/www/webaccess/WebAccess%208.0/Version%208.0.htm

http://webaccess.advantech.com/downloads/Release%20Notes%20Candidate.htm

Plugin Details

Severity: High

ID: 9955

Family: SCADA

Published: 2017/02/14

Modified: 2017/02/14

Dependencies: 9860

Nessus ID: 85692

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 7

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:advantech:advantech_webaccess

Patch Publication Date: 2011/12/20

Vulnerability Publication Date: 2011/12/20