AzeoTech DAQFactory

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Advantech WebAccess HMI Designer versions prior to 2.1.11.0 [1]. The flaw allows an attacker to inject malicious JavaScript code, which is executed in the context of the user's browser session. The vulnerability is triggered when a user opens a specially crafted project file or interacts with a malicious web page designed to exploit the XSS condition.

Exploitation

An attacker must craft a malicious project file or web page containing the JavaScript payload and convince the user to open it (user interaction is required). No authentication or special network position is needed; the attack can be delivered via email, download, or other means. Once the user opens the file or page, the injected script executes in the browser, enabling the attacker to perform actions on behalf of the user.

Impact

Successful exploitation allows the attacker to hijack the user's cookies and session tokens, redirect the user to a malicious website, and perform unintended browser actions such as form submission or data exfiltration. This can lead to account takeover, information disclosure, and further compromise of the user's system.

Mitigation

Advantech has released WebAccess HMI Designer version 2.1.11.0 to address this vulnerability [1]. Users should update to this version or later. No workarounds are provided; the only mitigation is to apply the patch. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.