Webaccess
by Advantech
CVEs (164)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-34238 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction() that allows an authenticated network administrator to cause the application to read and return the contents of… | |||
| CVE-2025-34237 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute… | |||
| CVE-2025-34236 | 0.00 | — | 0.00 | Nov 6, 2025 | Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the… | |||
| CVE-2023-4215 | 0.00 | — | 0.00 | Oct 16, 2023 | Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials. | |||
| CVE-2023-1437 | 0.00 | — | 0.03 | Aug 2, 2023 | All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the… | |||
| CVE-2023-2866 | 0.00 | — | 0.00 | Jun 7, 2023 | If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. | |||
| CVE-2023-22450 | 0.00 | — | 0.01 | Jun 5, 2023 | In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution. | |||
| CVE-2023-32540 | 0.00 | — | 0.01 | Jun 5, 2023 | In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead… | |||
| CVE-2023-32628 | 0.00 | — | 0.01 | Jun 5, 2023 | In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution. | |||
| CVE-2021-32951 | 0.00 | — | 0.01 | Oct 27, 2021 | WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS. | |||
| CVE-2021-38389 | 0.00 | — | 0.10 | Oct 18, 2021 | Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code. | |||
| CVE-2021-33023 | 0.00 | — | 0.02 | Oct 18, 2021 | Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code. | |||
| CVE-2021-38431 | 0.00 | — | 0.01 | Oct 15, 2021 | An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users. | |||
| CVE-2021-38408 | 0.00 | — | 0.12 | Sep 9, 2021 | A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution. | |||
| CVE-2021-34540 | 0.00 | — | 0.01 | Jun 11, 2021 | Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard. | |||
| CVE-2020-16202 | 0.00 | — | 0.00 | Sep 22, 2020 | WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges. | |||
| CVE-2020-12018 | 0.00 | — | 0.02 | May 8, 2020 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An out-of-bounds vulnerability exists that may allow access to unauthorized data. | |||
| CVE-2020-12026 | 0.00 | — | 0.02 | May 8, 2020 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. | |||
| CVE-2020-12014 | 0.00 | — | 0.02 | May 8, 2020 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands. | |||
| CVE-2020-12006 | 0.00 | — | 0.04 | May 8, 2020 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. |
- CVE-2025-34238Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction() that allows an authenticated network administrator to cause the application to read and return the contents of…
- CVE-2025-34237Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute…
- CVE-2025-34236Nov 6, 2025risk 0.00cvss —epss 0.00
Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the…
- CVE-2023-4215Oct 16, 2023risk 0.00cvss —epss 0.00
Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.
- CVE-2023-1437Aug 2, 2023risk 0.00cvss —epss 0.03
All versions prior to 9.1.4 of Advantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the…
- CVE-2023-2866Jun 7, 2023risk 0.00cvss —epss 0.00
If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.
- CVE-2023-22450Jun 5, 2023risk 0.00cvss —epss 0.01
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to upload an ASP script file to a webserver when logged in as manager user, which can lead to arbitrary code execution.
- CVE-2023-32540Jun 5, 2023risk 0.00cvss —epss 0.01
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead…
- CVE-2023-32628Jun 5, 2023risk 0.00cvss —epss 0.01
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.
- CVE-2021-32951Oct 27, 2021risk 0.00cvss —epss 0.01
WebAccess/NMS (Versions prior to v3.0.3_Build6299) has an improper authentication vulnerability, which may allow unauthorized users to view resources monitored and controlled by the WebAccess/NMS, as well as IP addresses and names of all the devices managed via WebAccess/NMS.
- CVE-2021-38389Oct 18, 2021risk 0.00cvss —epss 0.10
Advantech WebAccess versions 9.02 and prior are vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute code.
- CVE-2021-33023Oct 18, 2021risk 0.00cvss —epss 0.02
Advantech WebAccess versions 9.02 and prior are vulnerable to a heap-based buffer overflow, which may allow an attacker to remotely execute code.
- CVE-2021-38431Oct 15, 2021risk 0.00cvss —epss 0.01
An authenticated user using Advantech WebAccess SCADA in versions 9.0.3 and prior can use API functions to disclose project names and paths from other users.
- CVE-2021-38408Sep 9, 2021risk 0.00cvss —epss 0.12
A stack-based buffer overflow vulnerability in Advantech WebAccess Versions 9.02 and prior caused by a lack of proper validation of the length of user-supplied data may allow remote code execution.
- CVE-2021-34540Jun 11, 2021risk 0.00cvss —epss 0.01
Advantech WebAccess 8.4.2 and 8.4.4 allows XSS via the username column of the bwRoot.asp page of WADashboard.
- CVE-2020-16202Sep 22, 2020risk 0.00cvss —epss 0.00
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
- CVE-2020-12018May 8, 2020risk 0.00cvss —epss 0.02
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. An out-of-bounds vulnerability exists that may allow access to unauthorized data.
- CVE-2020-12026May 8, 2020risk 0.00cvss —epss 0.02
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.
- CVE-2020-12014May 8, 2020risk 0.00cvss —epss 0.02
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Input is not properly sanitized and may allow an attacker to inject SQL commands.
- CVE-2020-12006May 8, 2020risk 0.00cvss —epss 0.04
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control.
Page 5 of 9