Advantech Webaccess

Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability

CVE-2023-4215 7.5 - High - October 17, 2023

Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5

CVE-2023-2866 7.8 - High - June 07, 2023

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.

Insufficient Verification of Data Authenticity

Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may

CVE-2021-33023 9.8 - Critical - October 18, 2021

Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code.

Memory Corruption

Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may

CVE-2021-38389 9.8 - Critical - October 18, 2021

Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code.

Memory Corruption

A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may

CVE-2021-38408 9.8 - Critical - September 09, 2021

A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.

Stack Overflow

Advantech WebAccess 8.4.2 and 8.4.4

CVE-2021-34540 6.1 - Medium - June 11, 2021

Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard.

XSS

WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may

CVE-2020-16202 7.8 - High - September 22, 2020

WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.

Incorrect Permission Assignment for Critical Resource

WebAccess Node Version 8.4.4 and prior is vulnerable to a stack-based buffer overflow, which may

CVE-2020-12019 9.8 - Critical - June 15, 2020

WebAccess Node Version 8.4.4 and prior is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.

Memory Corruption

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0

CVE-2020-12022 9.8 - Critical - May 08, 2020

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An improper validation vulnerability exists that could allow an attacker to inject specially crafted input into memory where it can be executed.

out-of-bounds array index

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0

CVE-2020-10638 9.8 - Critical - May 08, 2020

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.

Memory Corruption

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0

CVE-2020-12002 9.8 - Critical - May 08, 2020

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple stack-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.

Memory Corruption

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0

CVE-2020-12006 9.8 - Critical - May 08, 2020

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the applications control.

Directory traversal

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0

CVE-2020-12010 7.1 - High - May 08, 2020

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow an authenticated user to use a specially crafted file to delete files outside the applications control.

Directory traversal

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0

CVE-2020-12014 7.5 - High - May 08, 2020

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands.

SQL Injection

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0

CVE-2020-12018 7.5 - High - May 08, 2020

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An out-of-bounds vulnerability exists that may allow access to unauthorized data.

Out-of-bounds Read

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0

CVE-2020-12026 8.8 - High - May 08, 2020

Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the applications control.

Directory traversal

Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files

CVE-2019-3942 7.5 - High - April 01, 2020

Advantech WebAccess 8.3.4 does not properly restrict an RPC call that allows unauthenticated, remote users to read files. An attacker can use this vulnerability to recover the administrator password.

Insufficiently Protected Credentials

In Advantech WebAccess, Versions 8.4.2 and prior

CVE-2020-10607 8.8 - High - March 27, 2020

In Advantech WebAccess, Versions 8.4.2 and prior. A stack-based buffer overflow vulnerability caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.

Memory Corruption

Advantech WebAccess before 8.4.3

CVE-2019-3951 9.8 - Critical - December 12, 2019

Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages.

Memory Corruption

In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may

CVE-2019-13558 9.8 - Critical - September 18, 2019

In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash.

Code Injection

In WebAccess versions 8.4.1 and prior

CVE-2019-13556 8.8 - High - September 18, 2019

In WebAccess versions 8.4.1 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

Buffer Overflow

In WebAccess, versions 8.4.1 and prior, an improper authorization vulnerability may

CVE-2019-13550 9.8 - Critical - September 18, 2019

In WebAccess, versions 8.4.1 and prior, an improper authorization vulnerability may allow an attacker to disclose sensitive information, cause improper control of generation of code, which may allow remote code execution or cause a system crash.

AuthZ

In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may

CVE-2019-13552 8.8 - High - September 18, 2019

In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.

Command Injection

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1

CVE-2019-3975 9.8 - Critical - September 10, 2019

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message.

Classic Buffer Overflow

In WebAccess/SCADA

CVE-2019-10991 9.8 - Critical - June 28, 2019

In WebAccess/SCADA, Versions 8.3.5 and prior, multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

Memory Corruption

In WebAccess/SCADA Versions 8.3.5 and prior

CVE-2019-10989 9.8 - Critical - June 28, 2019

In WebAccess/SCADA Versions 8.3.5 and prior, multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution. Note: A different vulnerability than CVE-2019-10991.

Memory Corruption

In WebAccess/SCADA Versions 8.3.5 and prior

CVE-2019-10987 8.8 - High - June 28, 2019

In WebAccess/SCADA Versions 8.3.5 and prior, multiple out-of-bounds write vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

Memory Corruption

In WebAccess/SCADA

CVE-2019-10985 9.1 - Critical - June 28, 2019

In WebAccess/SCADA, Versions 8.3.5 and prior, a path traversal vulnerability is caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage this vulnerability to delete files while posing as an administrator.

Directory traversal

In WebAccess/SCADA Versions 8.3.5 and prior

CVE-2019-10983 7.5 - High - June 28, 2019

In WebAccess/SCADA Versions 8.3.5 and prior, an out-of-bounds read vulnerability is caused by a lack of proper validation of user-supplied data. Exploitation of this vulnerability may allow disclosure of information.

Out-of-bounds Read

In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may

CVE-2019-10993 9.8 - Critical - June 28, 2019

In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code.

Buffer Overflow

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0

CVE-2019-3954 9.8 - Critical - June 19, 2019

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.

Memory Corruption

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0

CVE-2019-3953 9.8 - Critical - June 18, 2019

Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 10012 RPC call.

Memory Corruption

Advantech WebAccess 8.3.4 is vulnerable to file upload attacks via unauthenticated RPC call

CVE-2019-3940 9.8 - Critical - April 09, 2019

Advantech WebAccess 8.3.4 is vulnerable to file upload attacks via unauthenticated RPC call. An unauthenticated, remote attacker can use this vulnerability to execute arbitrary code.

Unrestricted File Upload

Advantech WebAccess 8.3.4

CVE-2019-3941 7.5 - High - April 09, 2019

Advantech WebAccess 8.3.4 allows unauthenticated, remote attackers to delete arbitrary files via IOCTL 10005 RPC.

Missing Authentication for Critical Function

Advantech WebAccess/SCADA, Versions 8.3.5 and prior

CVE-2019-6554 7.5 - High - April 05, 2019

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. An improper access control vulnerability may allow an attacker to cause a denial-of-service condition.

Authorization

Advantech WebAccess/SCADA, Versions 8.3.5 and prior

CVE-2019-6552 9.8 - Critical - April 05, 2019

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution.

Command Injection

Advantech WebAccess/SCADA, Versions 8.3.5 and prior

CVE-2019-6550 9.8 - Critical - April 05, 2019

Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution.

Buffer Overflow

Advantech WebAccess 8.3.1 and 8.3.2 are vulnerable to cross-site scripting in the Bwmainleft.asp page

CVE-2018-15707 5.4 - Medium - October 31, 2018

Advantech WebAccess 8.3.1 and 8.3.2 are vulnerable to cross-site scripting in the Bwmainleft.asp page. An attacker could leverage this vulnerability to disclose credentials amongst other things.

XSS

WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2

CVE-2018-15706 6.5 - Medium - October 31, 2018

WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote authenticated attackers to read any file on the filesystem due to a directory traversal vulnerability in the readFile API.

Directory traversal

WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2

CVE-2018-15705 6.5 - Medium - October 31, 2018

WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote authenticated attackers to write or overwrite any file on the filesystem due to a directory traversal vulnerability in the writeFile API. An attacker can use this vulnerability to remotely execute arbitrary code.

Directory traversal

WebAccess Versions 8.3.2 and prior

CVE-2018-17908 7.8 - High - October 29, 2018

WebAccess Versions 8.3.2 and prior. During installation, the application installer disables user access control and does not re-enable it after the installation is complete. This could allow an attacker to run elevated arbitrary code.

Authorization

WebAccess Versions 8.3.2 and prior

CVE-2018-17910 7.8 - High - October 29, 2018

WebAccess Versions 8.3.2 and prior. The application fails to properly validate the length of user-supplied data, causing a buffer overflow condition that allows for arbitrary remote code execution.

Buffer Overflow

Advantech WebAccess 8.3.1 and earlier has an improper privilege management vulnerability, which may

CVE-2018-14828 7.8 - High - October 23, 2018

Advantech WebAccess 8.3.1 and earlier has an improper privilege management vulnerability, which may allow an attacker to access those files and perform actions at a system administrator level.

Improper Privilege Management

Advantech WebAccess 8.3.1 and earlier has a .dll component

CVE-2018-14820 7.5 - High - October 23, 2018

Advantech WebAccess 8.3.1 and earlier has a .dll component that is susceptible to external control of file name or path vulnerability, which may allow an arbitrary file deletion when processing.

Improper Input Validation

Advantech WebAccess 8.3.1 and earlier has several stack-based buffer overflow vulnerabilities

CVE-2018-14816 9.8 - Critical - October 23, 2018

Advantech WebAccess 8.3.1 and earlier has several stack-based buffer overflow vulnerabilities that have been identified, which may allow an attacker to execute arbitrary code.

Memory Corruption

Advantech WebAccess 8.3.1 and earlier has a path traversal vulnerability which may

CVE-2018-14806 9.8 - Critical - October 23, 2018

Advantech WebAccess 8.3.1 and earlier has a path traversal vulnerability which may allow an attacker to execute arbitrary code.

Directory traversal

Advantech WebAccess 8.3.2 and below is vulnerable to a stack buffer overflow vulnerability

CVE-2018-15704 8.8 - High - October 22, 2018

Advantech WebAccess 8.3.2 and below is vulnerable to a stack buffer overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability by sending a crafted HTTP request to broadweb/system/opcImg.asp.

Memory Corruption

Advantech WebAccess 8.3.2 and below is vulnerable to multiple reflected cross site scripting vulnerabilities

CVE-2018-15703 6.1 - Medium - October 22, 2018

Advantech WebAccess 8.3.2 and below is vulnerable to multiple reflected cross site scripting vulnerabilities. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim to supply malicious HTML or JavaScript code to WebAccess, which is then reflected back to the victim and executed by the web browser.

XSS

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an external control of file name or path vulnerability has been identified, which may

CVE-2018-7495 7.5 - High - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an external control of file name or path vulnerability has been identified, which may allow an attacker to delete files.

Directory traversal

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several untrusted pointer dereference vulnerabilities have been identified, which may

CVE-2018-7497 9.8 - Critical - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.

NULL Pointer Dereference

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several stack-based buffer overflow vulnerabilities have been identified, which may

CVE-2018-7499 9.8 - Critical - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several stack-based buffer overflow vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.

Buffer Overflow

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several SQL injection vulnerabilities have been identified, which may

CVE-2018-7501 7.5 - High - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.

SQL Injection

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may

CVE-2018-7503 7.5 - High - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to disclose sensitive information on the target.

Directory traversal

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a TFTP application has unrestricted file uploads to the web application without authorization, which may

CVE-2018-7505 9.8 - Critical - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.

Unrestricted File Upload

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an improper privilege management vulnerability may

CVE-2018-8841 7.8 - High - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.

Improper Privilege Management

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a heap-based buffer overflow vulnerability has been identified, which may

CVE-2018-8845 9.8 - Critical - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code.

Buffer Overflow

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may

CVE-2018-10589 9.8 - Critical - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code.

Directory traversal

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an information exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files

CVE-2018-10590 7.5 - High - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an information exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible.

Insertion of Sensitive Information into Externally-Accessible File or Directory

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been identified, which may

CVE-2018-10591 6.1 - Medium - May 15, 2018

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been identified, which may allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.

Session Fixation

The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0

CVE-2018-6911 9.8 - Critical - February 13, 2018

The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument (aka the command parameter).

Shell injection