CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Advantech : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-42706 416 Exec Code 2021-11-15 2021-11-17
4.6
None Local Low Not required Partial Partial Partial
This vulnerability could allow an attacker to disclose information and execute arbitrary code on affected installations of WebAccess/MHI Designer
2 CVE-2021-42703 79 XSS 2021-11-15 2021-11-16
4.3
None Remote Medium Not required None Partial None
This vulnerability could allow an attacker to send malicious Javascript code resulting in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage, and performing unintended browser action.
3 CVE-2021-38431 862 2021-10-15 2021-10-20
4.0
None Remote Low ??? Partial None None
An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users.
4 CVE-2021-38408 121 Exec Code Overflow 2021-09-09 2021-09-20
7.5
None Remote Low Not required Partial Partial Partial
A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.
5 CVE-2021-38389 787 Exec Code Overflow 2021-10-18 2021-10-20
7.5
None Remote Low Not required Partial Partial Partial
Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code.
6 CVE-2021-34540 79 XSS 2021-06-11 2021-06-21
4.3
None Remote Medium Not required None Partial None
Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard.
7 CVE-2021-33023 787 Exec Code Overflow 2021-10-18 2021-10-20
7.5
None Remote Low Not required Partial Partial Partial
Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code.
8 CVE-2021-33004 119 Exec Code Overflow Mem. Corr. 2021-06-24 2021-07-01
6.8
None Remote Medium Not required Partial Partial Partial
The affected product is vulnerable to memory corruption condition due to lack of proper validation of user supplied files, which may allow an attacker to execute arbitrary code. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior).
9 CVE-2021-33002 787 Exec Code 2021-06-24 2021-07-01
6.8
None Remote Medium Not required Partial Partial Partial
Opening a maliciously crafted project file may cause an out-of-bounds write, which may allow an attacker to execute arbitrary code. User interaction is require on the WebAccess HMI Designer (versions 2.1.9.95 and prior).
10 CVE-2021-33000 787 Exec Code Overflow 2021-06-24 2021-07-01
6.8
None Remote Medium Not required Partial Partial Partial
Parsing a maliciously crafted project file may cause a heap-based buffer overflow, which may allow an attacker to perform arbitrary code execution. User interaction is required on the WebAccess HMI Designer (versions 2.1.9.95 and prior).
11 CVE-2021-32956 601 2021-06-18 2021-06-24
5.8
None Remote Medium Not required Partial Partial None
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to redirection, which may allow an attacker to send a maliciously crafted URL that could result in redirecting a user to a malicious webpage.
12 CVE-2021-32954 23 Dir. Trav. 2021-06-18 2021-06-24
6.8
None Remote Low ??? Complete None None
Advantech WebAccess/SCADA Versions 9.0.1 and prior is vulnerable to a directory traversal, which may allow an attacker to remotely read arbitrary files on the file system.
13 CVE-2021-32951 287 2021-10-27 2021-10-29
5.0
None Remote Low Not required Partial None None
WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS.
14 CVE-2021-32943 787 Exec Code Overflow 2021-08-10 2021-08-17
7.5
None Remote Low Not required Partial Partial Partial
The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
15 CVE-2021-32932 89 Sql 2021-06-11 2021-06-21
5.0
None Remote Low Not required Partial None None
The affected product is vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information on the iView (versions prior to v5.7.03.6182).
16 CVE-2021-32930 306 Exec Code 2021-06-11 2021-06-23
7.5
None Remote Low Not required Partial Partial Partial
The affected product’s configuration is vulnerable due to missing authentication, which may allow an attacker to change configurations and execute arbitrary code on the iView (versions prior to v5.7.03.6182).
17 CVE-2021-27437 798 +Info 2021-05-07 2021-05-19
6.4
None Remote Low Not required Partial Partial None
The affected product allows attackers to obtain sensitive information from the WISE-PaaS dashboard. The system contains a hard-coded administrator username and password that can be used to query Grafana APIs. Authentication is not required for exploitation on the WISE-PaaS/RMM (versions prior to 9.0.1).
18 CVE-2021-27436 79 XSS 2021-03-18 2021-03-25
4.3
None Remote Medium Not required None Partial None
WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scripting, which may allow an attacker to send malicious JavaScript code to an unsuspecting user, which could result in hijacking of the user’s cookie/session tokens, redirecting the user to a malicious webpage and performing unintended browser actions.
19 CVE-2021-22676 79 XSS 2021-08-10 2021-08-17
4.3
None Remote Medium Not required None Partial None
UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which could allow an attacker to send malicious JavaScript code. This could result in hijacking of cookie/session tokens, redirection to a malicious webpage, and unintended browser action on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
20 CVE-2021-22674 22 Dir. Trav. 2021-08-10 2021-08-17
4.0
None Remote Low ??? Partial None None
The affected product is vulnerable to a relative path traversal condition, which may allow an attacker access to unauthorized files and directories on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
21 CVE-2021-22658 89 Sql 2021-02-11 2021-02-12
7.5
None Remote Low Not required Partial Partial Partial
Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an attacker to escalate privileges to 'Administrator'.
22 CVE-2021-22656 22 Dir. Trav. 2021-02-11 2021-02-12
5.0
None Remote Low Not required Partial None None
Advantech iView versions prior to v5.7.03.6112 are vulnerable to directory traversal, which may allow an attacker to read sensitive files.
23 CVE-2021-22654 89 Sql 2021-02-11 2021-02-12
5.0
None Remote Low Not required Partial None None
Advantech iView versions prior to v5.7.03.6112 are vulnerable to a SQL injection, which may allow an unauthorized attacker to disclose information.
24 CVE-2021-22652 306 Exec Code 2021-02-11 2021-03-26
7.5
None Remote Low Not required Partial Partial Partial
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.
25 CVE-2021-21937 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.
26 CVE-2021-21936 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘health_alt_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.
27 CVE-2021-21935 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘host_alt_filter2’ parameter. This can be done as any authenticated user or through cross-site request forgery.
28 CVE-2021-21934 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘imei_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.
29 CVE-2021-21933 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘esn_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.
30 CVE-2021-21932 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this at ‘name_filter’ parameter. This can be done as any authenticated user or through cross-site request forgery.
31 CVE-2021-21931 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at‘ stat_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
32 CVE-2021-21930 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at ‘sn_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
33 CVE-2021-21929 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at ‘prod_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
34 CVE-2021-21928 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests at ‘mac_filter’ parameter to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
35 CVE-2021-21927 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘loc_filter’ parameter.
36 CVE-2021-21926 89 Sql CSRF 2021-12-22 2021-12-23
4.0
None Remote Low ??? Partial None None
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘health_filter’ parameter.
37 CVE-2021-21925 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘firm_filter’ parameter.
38 CVE-2021-21924 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger these vulnerabilities. This can be done as any authenticated user or through cross-site request forgery at ‘desc_filter’ parameter.
39 CVE-2021-21923 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘company_filter’ parameter with the administrative account or through cross-site request forgery.
40 CVE-2021-21922 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘username_filter’ parameter with the administrative account or through cross-site request forgery.
41 CVE-2021-21921 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘name_filter’ parameter with the administrative account or through cross-site request forgery.
42 CVE-2021-21920 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘surname_filter’ parameter with the administrative account or through cross-site request forgery.
43 CVE-2021-21919 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ord’ parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack.
44 CVE-2021-21918 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
A specially-crafted HTTP request can lead to SQL injection. An attacker can make authenticated HTTP requests to trigger this vulnerability at ‘name_filter’ parameter. However, the high privilege super-administrator account needs to be used to achieve exploitation without cross-site request forgery attack.
45 CVE-2021-21917 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at '‘ord’ parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
46 CVE-2021-21916 89 Sql CSRF 2021-12-22 2021-12-28
7.5
None Remote Low Not required Partial Partial Partial
An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at 'description_filter’ parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
47 CVE-2021-21915 89 Sql CSRF 2021-12-22 2021-12-28
6.5
None Remote Low ??? Partial Partial Partial
An exploitable SQL injection vulnerability exist in the ‘group_list’ page of the Advantech R-SeeNet 2.4.15 (30.07.2021). A specially-crafted HTTP request at ‘company_filter’ parameter. An attacker can make authenticated HTTP requests to trigger this vulnerability. This can be done as any authenticated user or through cross-site request forgery.
48 CVE-2021-21805 78 Exec Code 2021-08-05 2021-08-12
10.0
None Remote Low Not required Complete Complete Complete
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
49 CVE-2021-21804 829 Exec Code File Inclusion 2021-07-16 2021-07-28
7.5
None Remote Low Not required Partial Partial Partial
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
50 CVE-2021-21803 79 Exec Code XSS 2021-07-16 2021-07-20
4.3
None Remote Medium Not required None Partial None
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.
Total number of vulnerabilities : 251   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.