Webaccess
by Advantech
CVEs (164)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-0241 | 0.03 | — | 0.05 | Feb 21, 2012 | Advantech/BroadWin WebAccess before 7.0 allows remote attackers to cause a denial of service (memory corruption) via a modified stream identifier to a function. | |||
| CVE-2020-10638 | 0.02 | — | 0.07 | May 8, 2020 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution. | |||
| CVE-2019-3951 | 0.01 | — | 0.04 | Dec 12, 2019 | Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages. | |||
| CVE-2019-3975 | 0.01 | — | 0.05 | Sep 10, 2019 | Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message. | |||
| CVE-2018-14806 | 0.01 | — | 0.05 | Oct 23, 2018 | Advantech WebAccess 8.3.1 and earlier has a path traversal vulnerability which may allow an attacker to execute arbitrary code. | |||
| CVE-2018-15704 | 0.01 | — | 0.22 | Oct 22, 2018 | Advantech WebAccess 8.3.2 and below is vulnerable to a stack buffer overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability by sending a crafted HTTP request to broadweb/system/opcImg.asp. | |||
| CVE-2025-67653 | 0.00 | — | 0.01 | Dec 18, 2025 | Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files. | |||
| CVE-2025-46268 | 0.00 | — | 0.00 | Dec 18, 2025 | Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands. | |||
| CVE-2025-14848 | 0.00 | — | 0.01 | Dec 18, 2025 | Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files. | |||
| CVE-2025-14849 | 0.00 | — | 0.01 | Dec 18, 2025 | Advantech WebAccess/SCADA is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code. | |||
| CVE-2025-14850 | 0.00 | — | 0.01 | Dec 18, 2025 | Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files. | |||
| CVE-2025-34247 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in NetworksController.addNetworkAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | |||
| CVE-2025-34246 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxPrevalidationController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database… | |||
| CVE-2025-34245 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database… | |||
| CVE-2025-34244 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database… | |||
| CVE-2025-34243 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database… | |||
| CVE-2025-34242 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | |||
| CVE-2025-34241 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database… | |||
| CVE-2025-34240 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database… | |||
| CVE-2025-34239 | 0.00 | — | 0.02 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute arbitrary commands as the web server user (www-data) by supplying a crafted… |
- CVE-2012-0241Feb 21, 2012risk 0.03cvss —epss 0.05
Advantech/BroadWin WebAccess before 7.0 allows remote attackers to cause a denial of service (memory corruption) via a modified stream identifier to a function.
- CVE-2020-10638May 8, 2020risk 0.02cvss —epss 0.07
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.
- CVE-2019-3951Dec 12, 2019risk 0.01cvss —epss 0.04
Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages.
- CVE-2019-3975Sep 10, 2019risk 0.01cvss —epss 0.05
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message.
- CVE-2018-14806Oct 23, 2018risk 0.01cvss —epss 0.05
Advantech WebAccess 8.3.1 and earlier has a path traversal vulnerability which may allow an attacker to execute arbitrary code.
- CVE-2018-15704Oct 22, 2018risk 0.01cvss —epss 0.22
Advantech WebAccess 8.3.2 and below is vulnerable to a stack buffer overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability by sending a crafted HTTP request to broadweb/system/opcImg.asp.
- CVE-2025-67653Dec 18, 2025risk 0.00cvss —epss 0.01
Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to determine the existence of arbitrary files.
- CVE-2025-46268Dec 18, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/SCADA is vulnerable to SQL injection, which may allow an attacker to execute arbitrary SQL commands.
- CVE-2025-14848Dec 18, 2025risk 0.00cvss —epss 0.01
Advantech WebAccess/SCADA is vulnerable to absolute directory traversal, which may allow an attacker to determine the existence of arbitrary files.
- CVE-2025-14849Dec 18, 2025risk 0.00cvss —epss 0.01
Advantech WebAccess/SCADA is vulnerable to unrestricted file upload, which may allow an attacker to remotely execute arbitrary code.
- CVE-2025-14850Dec 18, 2025risk 0.00cvss —epss 0.01
Advantech WebAccess/SCADA is vulnerable to directory traversal, which may allow an attacker to delete arbitrary files.
- CVE-2025-34247Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in NetworksController.addNetworkAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
- CVE-2025-34246Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxPrevalidationController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database…
- CVE-2025-34245Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database…
- CVE-2025-34244Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database…
- CVE-2025-34243Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database…
- CVE-2025-34242Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information.
- CVE-2025-34241Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database…
- CVE-2025-34240Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database…
- CVE-2025-34239Nov 6, 2025risk 0.00cvss —epss 0.02
Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute arbitrary commands as the web server user (www-data) by supplying a crafted…
Page 4 of 9