SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-874717528] Advantech WebAccess

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-01-12OtherAdvantechTenable Network Security working with Trend Micros Zero Day Initiative N/ACVE-2017-5154 CVE-2017-5152 N/AN/AN/A

Source

						
							
								
#
# Advantech WebAccess
#


### VULNERABLE VENDOR
Advantech


### VULNERABLE PRODUCT
WebAccess



### RESEARCHER
Tenable Network Security working with Trend Micro's Zero Day Initiative



### AFFECTED PRODUCTS

The following WebAccess version is affected:

WebAccess Version 8.1



### IMPACT

Successful exploitation of this authentication bypass vulnerability could allow an attacker to access pages unrestricted; SQL injection condition may allow remote code execution.



### VULNERABILITY OVERVIEW

SQL INJECTION CWE-89
To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software.
Successful attack could result in administrative access to the application and its data files.
CVE-2017-5154 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


AUTHENTICATION BYPASS ISSUES CWE-592
By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access pages unrestricted.
CVE-2017-5152 has been assigned to this vulnerability.
A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)





### BACKGROUND



### MITIGATION

Advantech has produced WebAccess Version 8.2 that mitigates these vulnerabilities. The new version can be downloaded at http://www.advantech.com/industrial-automation/webaccess


.