Advantech System Integration services HW/SW
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Advantech product.
Products by Advantech Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 0 vulnerabilities in Advantech. Last year, in 2024 Advantech had 6 security vulnerabilities published. Right now, Advantech is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 6 | 7.10 |
2023 | 10 | 8.84 |
2022 | 15 | 7.90 |
2021 | 62 | 7.32 |
2020 | 28 | 8.30 |
2019 | 31 | 8.98 |
2018 | 28 | 7.88 |
It may take a day or so for new Advantech vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Advantech Security Vulnerabilities
Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability
CVE-2023-52335
7.5 - High
- November 22, 2024
Advantech iView ConfigurationServlet SQL Injection Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ConfigurationServlet servlet, which listens on TCP port 8080 by default. When parsing the column_value element, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-17863.
SQL Injection
Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability
CVE-2024-28948
8.8 - High
- September 27, 2024
Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
Session Riding
Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a
session is closed
CVE-2024-39275
8.8 - High
- September 27, 2024
Cookies of authenticated Advantech ADAM-5630 users remain as active valid cookies when a session is closed. Forging requests with a legitimate cookie, even if the session was terminated, allows an unauthorized attacker to act with the same level of privileges of the legitimate user.
Advantech ADAM 5550's web application includes a "logs" page where all
the HTTP requests received are displayed to the user
CVE-2024-38308
6.1 - Medium
- September 27, 2024
Advantech ADAM 5550's web application includes a "logs" page where all the HTTP requests received are displayed to the user. The device doesn't correctly neutralize malicious code when parsing HTTP requests to generate page output.
XSS
Advantech ADAM-5550 share user credentials with a low level of encryption
CVE-2024-37187
5.7 - Medium
- September 27, 2024
Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.
Insufficiently Protected Credentials
Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
CVE-2024-34542
5.7 - Medium
- September 27, 2024
Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
Insufficiently Protected Credentials
Advantech R-SeeNet v2.4.23
CVE-2023-5642
9.8 - Critical
- October 18, 2023
Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attacker to read from and write to the snmpmon.ini file, which contains sensitive information.
Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability
CVE-2023-4215
7.5 - High
- October 17, 2023
Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.
Debug Messages Revealing Unnecessary Information
All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers
CVE-2023-1437
9.8 - Critical
- August 02, 2023
All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.
Untrusted Pointer Dereference
An authenticated SQL injection vulnerability exists in Advantech iView versions prior to v5.7.4 build 6752
CVE-2023-3983
8.8 - High
- July 31, 2023
An authenticated SQL injection vulnerability exists in Advantech iView versions prior to v5.7.4 build 6752. An authenticated remote attacker can bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform blind SQL injection.
SQL Injection
Advantech R-SeeNet
versions 2.4.22
CVE-2023-3256
8.1 - High
- June 22, 2023
Advantech R-SeeNet versions 2.4.22 allows low-level users to access and load the content of local files.
Externally Controlled Reference to a Resource in Another Sphere
Advantech R-SeeNet
versions 2.4.22
is installed with a hidden root-level user that is not available in the
users list
CVE-2023-2611
9.8 - Critical
- June 22, 2023
Advantech R-SeeNet versions 2.4.22 is installed with a hidden root-level user that is not available in the users list. This hidden user has a password that cannot be changed by users.
Use of Hard-coded Credentials
If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5
CVE-2023-2866
7.8 - High
- June 07, 2023
If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.
Insufficient Verification of Data Authenticity
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability
CVE-2023-32628
9.8 - Critical
- June 06, 2023
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.
Unrestricted File Upload
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could
CVE-2023-32540
9.8 - Critical
- June 06, 2023
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution.
Code Injection
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability
CVE-2023-22450
7.2 - High
- June 06, 2023
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.
Unrestricted File Upload
Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks
CVE-2022-3387
5.3 - Medium
- October 27, 2022
Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path traversal attacks. An unauthorized attacker could remotely exploit vulnerable PHP code to delete .PDF files.
Directory traversal
Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow
CVE-2022-3386
9.8 - Critical
- October 27, 2022
Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. An unauthorized attacker can use an outsized filename to overflow the stack buffer and enable remote code execution.
Memory Corruption
Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow
CVE-2022-3385
9.8 - Critical
- October 27, 2022
Advantech R-SeeNet Versions 2.4.17 and prior are vulnerable to a stack-based buffer overflow. An unauthorized attacker can remotely overflow the stack buffer and enable remote code execution.
Memory Corruption
An SQL injection vulnerability in Advantech iView 5.7.04.6469
CVE-2022-3323
7.5 - High
- September 27, 2022
An SQL injection vulnerability in Advantech iView 5.7.04.6469. The specific flaw exists within the ConfigurationServlet endpoint, which listens on TCP port 8080 by default. An unauthenticated remote attacker can craft a special column_value parameter in the setConfiguration action to bypass checks in com.imc.iview.utils.CUtils.checkSQLInjection() to perform SQL injection. For example, the attacker can exploit the vulnerability to retrieve the iView admin password.
SQL Injection
The affected product is vulnerable to a SQL injection with high attack complexity, which may
CVE-2022-2142
5.9 - Medium
- July 22, 2022
The affected product is vulnerable to a SQL injection with high attack complexity, which may allow an unauthorized attacker to disclose information.
SQL Injection
The affected product is vulnerable due to missing authentication, which may
CVE-2022-2138
7.5 - High
- July 22, 2022
The affected product is vulnerable due to missing authentication, which may allow an attacker to read or modify sensitive data and execute arbitrary code, resulting in a denial-of-service condition.
Missing Authentication for Critical Function
The affected product is vulnerable to two SQL injections
CVE-2022-2137
4.9 - Medium
- July 22, 2022
The affected product is vulnerable to two SQL injections that require high privileges for exploitation and may allow an unauthorized attacker to disclose information
SQL Injection
The affected product is vulnerable to multiple SQL injections
CVE-2022-2136
6.5 - Medium
- July 22, 2022
The affected product is vulnerable to multiple SQL injections that require low privileges for exploitation and may allow an unauthorized attacker to disclose information.
SQL Injection
The affected product is vulnerable to multiple SQL injections, which may
CVE-2022-2135
7.5 - High
- July 22, 2022
The affected product is vulnerable to multiple SQL injections, which may allow an unauthorized attacker to disclose information.
SQL Injection
The affected product is vulnerable to two instances of command injection, which may
CVE-2022-2143
9.8 - Critical
- July 22, 2022
The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.
The affected product is vulnerable to directory traversal, which may
CVE-2022-2139
9.8 - Critical
- July 22, 2022
The affected product is vulnerable to directory traversal, which may allow an attacker to access unauthorized files and execute arbitrary code.
Directory traversal
A privilege escalation vulnerability exists in the installation of Advantech WISE-PaaS/OTA Server 3.0.9
CVE-2021-40397
7.8 - High
- January 28, 2022
A privilege escalation vulnerability exists in the installation of Advantech WISE-PaaS/OTA Server 3.0.9. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
Incorrect Default Permissions
A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iService 1.1.7
CVE-2021-40396
8.8 - High
- January 28, 2022
A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iService 1.1.7. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
Incorrect Default Permissions
A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2
CVE-2021-40389
8.8 - High
- January 28, 2022
A privilege escalation vulnerability exists in the installation of Advantech DeviceOn/iEdge Server 1.0.2. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
Incorrect Default Permissions
A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6
CVE-2021-40388
8.8 - High
- January 28, 2022
A privilege escalation vulnerability exists in Advantech SQ Manager Server 1.0.6. A specially-crafted file can be replaced in the system to escalate privileges to NT SYSTEM authority. An attacker can provide a malicious file to trigger this vulnerability.
Incorrect Default Permissions
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21926
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at health_filter parameter.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21937
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at host_alt_filter parameter. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21936
8.8 - High
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at health_alt_filter parameter. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21935
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at host_alt_filter2 parameter. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21934
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at imei_filter parameter. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21933
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at esn_filter parameter. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21932
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at name_filter parameter. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21931
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at stat_filter parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21930
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at sn_filter parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21929
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at prod_filter parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21928
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at mac_filter parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21925
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at firm_filter parameter.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21924
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at desc_filter parameter.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21923
4.9 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at company_filter parameter with the administrative account or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21927
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at loc_filter parameter.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21922
6.5 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at username_filter parameter with the administrative account or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21921
4.9 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at name_filter parameter with the administrative account or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21920
4.9 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at surname_filter parameter with the administrative account or through cross-site request forgery.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21919
4.9 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ord parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack.
SQL Injection
A specially-crafted HTTP request can lead to SQL injection
CVE-2021-21918
4.9 - Medium
- December 22, 2021
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at name_filter parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack.
SQL Injection
An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021)
CVE-2021-21917
8.8 - High
- December 22, 2021
An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at 'ord parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021)
CVE-2021-21916
8.8 - High
- December 22, 2021
An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at 'description_filter parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021)
CVE-2021-21915
8.8 - High
- December 22, 2021
An exploitable SQL injection vulnerability exist in the group_list page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at company_filter parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
SQL Injection
This vulnerability could
CVE-2021-42703
6.1 - Medium
- November 15, 2021
This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the users cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action.
XSS
This vulnerability could
CVE-2021-42706
7.8 - High
- November 15, 2021
This vulnerability could allow an attacker to disclose information and execute arbitrary code on affected installations of WebAccess/MHI Designer
Dangling pointer
WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may
CVE-2021-32951
5.3 - Medium
- October 27, 2021
WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS.
authentification
Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may
CVE-2021-38389
9.8 - Critical
- October 18, 2021
Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code.
Memory Corruption
Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may
CVE-2021-33023
9.8 - Critical
- October 18, 2021
Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code.
Memory Corruption
An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths
CVE-2021-38431
4.3 - Medium
- October 15, 2021
An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users.
AuthZ
A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may
CVE-2021-38408
9.8 - Critical
- September 09, 2021
A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.
Stack Overflow
The affected product is vulnerable to a stack-based buffer overflow, which may
CVE-2021-32943
9.8 - Critical
- August 10, 2021
The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
Memory Corruption
UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could
CVE-2021-22676
6.1 - Medium
- August 10, 2021
UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
XSS
The affected product is vulnerable to a relative path traversal condition, which may
CVE-2021-22674
6.5 - Medium
- August 10, 2021
The affected product is vulnerable to a relative path traversal condition, which may allow an attacker access to unauthorized files and directories on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
Directory traversal
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020)
CVE-2021-21805
9.8 - Critical
- August 05, 2021
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
Shell injection
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications
CVE-2021-21803
6.1 - Medium
- July 16, 2021
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.
XSS
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications
CVE-2021-21802
6.1 - Medium
- July 16, 2021
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.
XSS
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications
CVE-2021-21801
6.1 - Medium
- July 16, 2021
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.
XSS
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020)
CVE-2021-21804
9.8 - Critical
- July 16, 2021
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
Inclusion of Functionality from Untrusted Control Sphere
Cross-site scripting vulnerabilities exist in the ssh_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020)
CVE-2021-21800
6.1 - Medium
- July 16, 2021
Cross-site scripting vulnerabilities exist in the ssh_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted users browser. An attacker can provide a crafted URL to trigger this vulnerability.
XSS
Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020)
CVE-2021-21799
6.1 - Medium
- July 16, 2021
Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted users browser. An attacker can provide a crafted URL to trigger this vulnerability.
XSS
The affected product is vulnerable to memory corruption condition due to lack of proper validation of user supplied files, which may
CVE-2021-33004
7.8 - High
- June 24, 2021
The affected product is vulnerable to memory corruption condition due to lack of proper validation of user supplied files, which may allow an attacker to execute arbitrary code. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior).
Memory Corruption
Opening a maliciously crafted project file may cause an out-of-bounds write, which may allow an attacker to execute arbitrary code
CVE-2021-33002
7.8 - High
- June 24, 2021
Opening a maliciously crafted project file may cause an out-of-bounds write, which may allow an attacker to execute arbitrary code. User interaction is require on the WebAccess HMI Designer (versions 2.1.9.95 and prior).
Memory Corruption
Parsing a maliciously crafted project file may cause a heap-based buffer overflow, which may
CVE-2021-33000
7.8 - High
- June 24, 2021
Parsing a maliciously crafted project file may cause a heap-based buffer overflow, which may allow an attacker to perform arbitrary code execution. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior).
Memory Corruption
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL
CVE-2021-32956
6.1 - Medium
- June 18, 2021
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a malicious webpage.
Open Redirect
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may
CVE-2021-32954
6.5 - Medium
- June 18, 2021
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
Directory traversal
The affected product is vulnerable to a SQL injection, which may
CVE-2021-32932
7.5 - High
- June 11, 2021
The affected product is vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information on the iView (versions prior to v5.7.03.6182).
SQL Injection
The affected products configuration is vulnerable due to missing authentication, which may
CVE-2021-32930
9.8 - Critical
- June 11, 2021
The affected products configuration is vulnerable due to missing authentication, which may allow an attacker to change configurations and execute arbitrary code on the iView (versions prior to v5.7.03.6182).
Missing Authentication for Critical Function
Advantech WebAccess 8.4.2 and 8.4.4
CVE-2021-34540
6.1 - Medium
- June 11, 2021
Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard.
XSS
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard
CVE-2021-27437
9.1 - Critical
- May 07, 2021
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0.1).
Use of Hard-coded Credentials
Incorrect permissions are set to default on the Project Management page of WebAccess/SCADA portal of WebAccess/SCADA Versions 9.0.1 and prior, which may
CVE-2021-22669
8.8 - High
- April 26, 2021
Incorrect permissions are set to default on the Project Management page of WebAccess/SCADA portal of WebAccess/SCADA Versions 9.0.1 and prior, which may allow a low-privileged user to update an administrators password and login as an administrator to escalate privileges on the system.
Incorrect Permission Assignment for Critical Resource
WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may
CVE-2021-27436
6.1 - Medium
- March 18, 2021
WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the users cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser actions.
XSS
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation
CVE-2020-13554
7.8 - High
- March 03, 2021
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.
Incorrect Default Permissions
The WADashboard component of WebAccess/SCADA Versions 9.0 and prior may
CVE-2020-25161
8.8 - High
- February 23, 2021
The WADashboard component of WebAccess/SCADA Versions 9.0 and prior may allow an attacker to control or influence a path used in an operation on the filesystem and remotely execute code as an administrator.
Externally Controlled Reference to a Resource in Another Sphere
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation
CVE-2020-13555
8.8 - High
- February 17, 2021
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In COM Server Application Privilege Escalation, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.
Incorrect Default Permissions
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation
CVE-2020-13553
8.8 - High
- February 17, 2021
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In webvrpcs Run Key Privilege Escalation in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.
Incorrect Default Permissions
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation
CVE-2020-13552
8.8 - High
- February 17, 2021
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In privilege escalation via multiple service executables in installation folder of WebAccess, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.
Incorrect Default Permissions
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation
CVE-2020-13551
8.8 - High
- February 17, 2021
An exploitable local privilege elevation vulnerability exists in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. In privilege escalation via PostgreSQL executable, an attacker can either replace binary or loaded modules to execute code with NT SYSTEM privilege.
Incorrect Default Permissions
A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1
CVE-2020-13550
7.7 - High
- February 17, 2021
A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1. A specially crafted application can lead to information disclosure. An attacker can send an authenticated HTTP request to trigger this vulnerability.
Directory traversal
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may
CVE-2021-22652
9.8 - Critical
- February 11, 2021
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.
Missing Authentication for Critical Function
Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may
CVE-2021-22654
7.5 - High
- February 11, 2021
Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information.
SQL Injection
Advantech iView versions prior to v5.7.03.6112 are vulnerable to directory traversal, which may
CVE-2021-22656
7.5 - High
- February 11, 2021
Advantech iView versions prior to v5.7.03.6112 are vulnerable to directory traversal, which may allow an attacker to read sensitive files.
Directory traversal
Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may
CVE-2021-22658
9.8 - Critical
- February 11, 2021
Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an attacker to escalate privileges to 'Administrator'.
SQL Injection
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which
CVE-2020-25157
7.5 - High
- October 20, 2020
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
SQL Injection
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may
CVE-2020-16202
7.8 - High
- September 22, 2020
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
Incorrect Permission Assignment for Critical Resource
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior
CVE-2020-16215
7.8 - High
- August 06, 2020
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Processing specially crafted project files lacking proper validation of user supplied data may cause a stack-based buffer overflow, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.
Improper Input Validation
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior
CVE-2020-16229
7.8 - High
- August 06, 2020
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Processing specially crafted project files lacking proper validation of user supplied data may cause a type confusion condition, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.
Object Type Confusion
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior
CVE-2020-16217
7.8 - High
- August 06, 2020
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. A double free vulnerability caused by processing specially crafted project files may allow remote code execution, disclosure/modification of information, or cause the application to crash.
Double-free
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior
CVE-2020-16213
7.8 - High
- August 06, 2020
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Processing specially crafted project files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.
Memory Corruption
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior
CVE-2020-16211
5.5 - Medium
- August 06, 2020
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. An out-of-bounds read vulnerability may be exploited by processing specially crafted project files, which may allow an attacker to read information.
Out-of-bounds Read