CVE-2018-10591
Description
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been identified, which may allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Advantech WebAccess versions prior to security updates contain an origin validation error vulnerability enabling session cookie theft and unauthorized data access.
Vulnerability
Advantech WebAccess versions V8.2_20170817 and prior, V8.3.0 and prior, Dashboard V.2.0.15 and prior, Scada Node prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior contain an origin validation error vulnerability (CWE-346). The application fails to properly validate the Origin header in cross-origin requests, allowing a malicious website to perform actions on behalf of an authenticated user. [1]
Exploitation
An attacker can host a malicious website that, when visited by an authenticated WebAccess user, makes cross-origin requests to the WebAccess server. The server does not validate the origin, enabling the attacker to steal the user's session cookies. No authentication or prior access is required for the attacker; the attack is remotely exploitable. [1]
Impact
Successful exploitation allows the attacker to steal session cookies of authenticated users, leading to unauthorized access to the WebAccess application and its data. This compromises confidentiality and integrity of user data, potentially allowing full control of the application. [1]
Mitigation
Advantech has released updates to address this vulnerability: WebAccess V8.2_20180418, V8.3.1, Dashboard V2.0.16, Scada Node V8.3.1, and WebAccess/NMS V2.0.4. Users should upgrade to these versions or later. As a workaround, restrict network access to the WebAccess server and avoid browsing untrusted websites while authenticated. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: <8.3.1
- Range: <=V2.0.15
<=V8.2_20170817 and <=V8.3.0+ 1 more
- (no CPE)range: <=V8.2_20170817 and <=V8.3.0
- (no CPE)range: WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, WebAccess/NMS 2.0.3 and prior.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.securityfocus.com/bid/104190mitrevdb-entryx_refsource_BID
- ics-cert.us-cert.gov/advisories/ICSA-18-135-01mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.