Vendor CVEs
Advantech
All CVEs
325 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-0855 | Hig | 0.49 | 7.5 | 0.05 | Jan 15, 2016 | Directory traversal vulnerability in Advantech WebAccess before 8.1 allows remote attackers to list arbitrary virtual-directory files via unspecified vectors. | ||
| CVE-2016-0853 | Hig | 0.49 | 7.5 | 0.02 | Jan 15, 2016 | Advantech WebAccess before 8.1 allows remote attackers to obtain sensitive information via crafted input. | ||
| CVE-2016-0852 | Hig | 0.49 | 7.5 | 0.02 | Jan 15, 2016 | Advantech WebAccess before 8.1 allows remote attackers to bypass an intended administrative requirement and obtain file or folder access via unspecified vectors. | ||
| CVE-2016-0851 | Hig | 0.49 | 7.5 | 0.02 | Jan 15, 2016 | Advantech WebAccess before 8.1 allows remote attackers to cause a denial of service (out-of-bounds memory access) via unspecified vectors. | ||
| CVE-2026-2670 | Hig | 0.47 | 7.2 | 0.15 | Feb 18, 2026 | A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected is an unknown function of the file /cgi-bin/luci/admin/openvpn_apply of the component Background Management. Such manipulation of the argument delete_file leads to os command injection. The attack can… | ||
| CVE-2017-7929 | Hig | 0.46 | 7.1 | 0.02 | May 6, 2017 | An Absolute Path Traversal issue was discovered in Advantech WebAccess Version 8.1 and prior. The absolute path traversal vulnerability has been identified, which may allow an attacker to traverse the file system to access restricted files or directories. | ||
| CVE-2017-14016 | Med | 0.45 | 6.3 | 0.16 | Nov 6, 2017 | A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. The application lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an attacker to execute arbitrary… | ||
| CVE-2016-4525 | Med | 0.43 | 6.6 | 0.00 | Jun 25, 2016 | Unspecified ActiveX controls in Advantech WebAccess before 8.1_20160519 allow remote authenticated users to obtain sensitive information or modify data via unknown vectors, related to the INTERFACESAFE_FOR_UNTRUSTED_CALLER (aka safe for scripting) flag. | ||
| CVE-2025-52459 | Med | 0.42 | 6.5 | 0.00 | Jul 11, 2025 | A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters can be used directly in a command without proper … | ||
| CVE-2024-2453 | Med | 0.42 | 6.4 | 0.00 | Mar 21, 2024 | There is an SQL injection vulnerability in Advantech WebAccess/SCADA software that allows an authenticated attacker to remotely inject SQL code in the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database. | ||
| CVE-2017-16732 | Med | 0.42 | 6.5 | 0.01 | Jan 12, 2018 | A use-after-free issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows an unauthenticated attacker to specify an arbitrary address. | ||
| CVE-2024-39364 | Med | 0.41 | 6.3 | 0.00 | Sep 27, 2024 | Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by… | ||
| CVE-2026-36226 | Med | 0.40 | 6.1 | 0.00 | May 22, 2026 | Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User component | ||
| CVE-2018-10591 | Med | 0.40 | 6.1 | 0.01 | May 15, 2018 | In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been… | ||
| CVE-2016-5810 | Med | 0.36 | 4.9 | 0.15 | May 2, 2017 | upAdminPg.asp in Advantech WebAccess before 8.1_20160519 allows remote authenticated administrators to obtain sensitive password information via unspecified vectors. | ||
| CVE-2018-5445 | Med | 0.35 | 5.3 | 0.02 | Jan 25, 2018 | A Path Traversal issue was discovered in Advantech WebAccess/SCADA versions prior to V8.2_20170817. An attacker has read access to files within the directory structure of the target device. | ||
| CVE-2018-5443 | Med | 0.35 | 5.3 | 0.01 | Jan 25, 2018 | A SQL Injection issue was discovered in Advantech WebAccess/SCADA versions prior to V8.2_20170817. WebAccess/SCADA does not properly sanitize its inputs for SQL commands. | ||
| CVE-2015-3948 | Med | 0.35 | 5.4 | 0.01 | Jan 15, 2016 | Cross-site scripting (XSS) vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2015-3943 | Med | 0.35 | 5.3 | 0.02 | Jan 15, 2016 | Advantech WebAccess before 8.1 allows remote attackers to read sensitive cleartext information about e-mail project accounts via unspecified vectors. | ||
| CVE-2016-4528 | Med | 0.33 | 5.0 | 0.01 | Jun 25, 2016 | Buffer overflow in Advantech WebAccess before 8.1_20160519 allows local users to cause a denial of service via a crafted DLL file. | ||
| CVE-2022-2143 | 0.08 | — | 0.59 | Jul 22, 2022 | The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code. | |||
| CVE-2014-2364 | 0.08 | — | 0.61 | Jul 19, 2014 | Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9)… | |||
| CVE-2021-21805 | 0.07 | — | 0.70 | Aug 5, 2021 | An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability. | |||
| CVE-2021-21801 | 0.07 | — | 0.63 | Jul 16, 2021 | This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. | |||
| CVE-2021-21803 | 0.06 | — | 0.08 | Jul 16, 2021 | This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. | |||
| CVE-2021-21799 | 0.06 | — | 0.12 | Jul 16, 2021 | Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An… | |||
| CVE-2021-22652 | 0.06 | — | 0.37 | Feb 11, 2021 | Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution. | |||
| CVE-2011-0340 | 0.06 | — | 0.32 | May 4, 2011 | Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers… | |||
| CVE-2021-21802 | 0.05 | — | 0.10 | Jul 16, 2021 | This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution. | |||
| CVE-2021-21800 | 0.05 | — | 0.14 | Jul 16, 2021 | Cross-site scripting vulnerabilities exist in the ssh_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An… | |||
| CVE-2014-8387 | 0.05 | — | 0.24 | Nov 20, 2014 | cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi. | |||
| CVE-2014-0763 | 0.05 | — | 0.19 | Apr 12, 2014 | An attacker using SQL injection may use arguments to construct queries without proper sanitization. The DBVisitor.dll is exposed through SOAP interfaces, and the exposed functions are vulnerable to SOAP injection. This may allow unexpected SQL action and access to records in… | |||
| CVE-2023-5642 | 0.04 | — | 0.17 | Oct 18, 2023 | Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attacker to read from and write to the snmpmon.ini file, which contains sensitive information. | |||
| CVE-2018-15705 | 0.04 | — | 0.12 | Oct 31, 2018 | WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote authenticated attackers to write or overwrite any file on the filesystem due to a directory traversal vulnerability in the writeFile API. An attacker can use this vulnerability to remotely execute arbitrary… | |||
| CVE-2014-9208 | 0.04 | — | 0.09 | Sep 11, 2015 | Multiple stack-based buffer overflows in unspecified DLL files in Advantech WebAccess before 8.0.1 allow remote attackers to execute arbitrary code via unknown vectors. | |||
| CVE-2012-0242 | 0.04 | — | 0.07 | Feb 21, 2012 | Format string vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code via format string specifiers in a message string. | |||
| CVE-2011-4041 | 0.04 | — | 0.18 | Feb 6, 2012 | webvrpcs.exe in Advantech/BroadWin WebAccess allows remote attackers to execute arbitrary code or obtain a security-code value via a long string in an RPC request to TCP port 4592. | |||
| CVE-2020-12002 | 0.03 | — | 0.09 | May 8, 2020 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple stack-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution. | |||
| CVE-2018-15707 | 0.03 | — | 0.02 | Oct 31, 2018 | Advantech WebAccess 8.3.1 and 8.3.2 are vulnerable to cross-site scripting in the Bwmainleft.asp page. An attacker could leverage this vulnerability to disclose credentials amongst other things. | |||
| CVE-2014-8386 | 0.03 | — | 0.06 | Jan 20, 2015 | Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file. | |||
| CVE-2013-2299 | 0.03 | — | 0.01 | Aug 22, 2013 | Cross-site scripting (XSS) vulnerability in Advantech WebAccess (formerly BroadWin WebAccess) before 7.1 2013.05.30 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2013-1627 | 0.03 | — | 0.03 | Mar 11, 2013 | Absolute path traversal vulnerability in NTWebServer.exe in Indusoft Studio 7.0 and earlier and Advantech Studio 7.0 and earlier allows remote attackers to read arbitrary files via a full pathname in an argument to the sub_401A90 CreateFileW function. | |||
| CVE-2012-0241 | 0.03 | — | 0.05 | Feb 21, 2012 | Advantech/BroadWin WebAccess before 7.0 allows remote attackers to cause a denial of service (memory corruption) via a modified stream identifier to a function. | |||
| CVE-2021-21804 | 0.02 | — | 0.04 | Jul 16, 2021 | A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this… | |||
| CVE-2020-10638 | 0.02 | — | 0.07 | May 8, 2020 | Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution. | |||
| CVE-2019-10993 | 0.02 | — | 0.11 | Jun 28, 2019 | In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code. | |||
| CVE-2023-2574 | 0.01 | — | 0.05 | May 8, 2023 | Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request. | |||
| CVE-2020-16245 | 0.01 | — | 0.08 | Aug 25, 2020 | Advantech iView, Versions 5.7 and prior. The affected product is vulnerable to path traversal vulnerabilities that could allow an attacker to create/download arbitrary files, limit system availability, and remotely execute code. | |||
| CVE-2019-3951 | 0.01 | — | 0.04 | Dec 12, 2019 | Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages. | |||
| CVE-2019-3975 | 0.01 | — | 0.05 | Sep 10, 2019 | Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message. |
- risk 0.49cvss 7.5epss 0.05
Directory traversal vulnerability in Advantech WebAccess before 8.1 allows remote attackers to list arbitrary virtual-directory files via unspecified vectors.
- risk 0.49cvss 7.5epss 0.02
Advantech WebAccess before 8.1 allows remote attackers to obtain sensitive information via crafted input.
- risk 0.49cvss 7.5epss 0.02
Advantech WebAccess before 8.1 allows remote attackers to bypass an intended administrative requirement and obtain file or folder access via unspecified vectors.
- risk 0.49cvss 7.5epss 0.02
Advantech WebAccess before 8.1 allows remote attackers to cause a denial of service (out-of-bounds memory access) via unspecified vectors.
- risk 0.47cvss 7.2epss 0.15
A vulnerability was identified in Advantech WISE-6610 1.2.1_20251110. Affected is an unknown function of the file /cgi-bin/luci/admin/openvpn_apply of the component Background Management. Such manipulation of the argument delete_file leads to os command injection. The attack can…
- risk 0.46cvss 7.1epss 0.02
An Absolute Path Traversal issue was discovered in Advantech WebAccess Version 8.1 and prior. The absolute path traversal vulnerability has been identified, which may allow an attacker to traverse the file system to access restricted files or directories.
- risk 0.45cvss 6.3epss 0.16
A Stack-based Buffer Overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. The application lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an attacker to execute arbitrary…
- risk 0.43cvss 6.6epss 0.00
Unspecified ActiveX controls in Advantech WebAccess before 8.1_20160519 allow remote authenticated users to obtain sensitive information or modify data via unknown vectors, related to the INTERFACESAFE_FOR_UNTRUSTED_CALLER (aka safe for scripting) flag.
- risk 0.42cvss 6.5epss 0.00
A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters can be used directly in a command without proper …
- risk 0.42cvss 6.4epss 0.00
There is an SQL injection vulnerability in Advantech WebAccess/SCADA software that allows an authenticated attacker to remotely inject SQL code in the database. Successful exploitation of this vulnerability could allow an attacker to read or modify data on the remote database.
- risk 0.42cvss 6.5epss 0.01
A use-after-free issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows an unauthenticated attacker to specify an arbitrary address.
- risk 0.41cvss 6.3epss 0.00
Advantech ADAM-5630 has built-in commands that can be executed without authenticating the user. These commands allow for restarting the operating system, rebooting the hardware, and stopping the execution. The commands can be sent to a simple HTTP request and are executed by…
- risk 0.40cvss 6.1epss 0.00
Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User component
- risk 0.40cvss 6.1epss 0.01
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been…
- risk 0.36cvss 4.9epss 0.15
upAdminPg.asp in Advantech WebAccess before 8.1_20160519 allows remote authenticated administrators to obtain sensitive password information via unspecified vectors.
- risk 0.35cvss 5.3epss 0.02
A Path Traversal issue was discovered in Advantech WebAccess/SCADA versions prior to V8.2_20170817. An attacker has read access to files within the directory structure of the target device.
- risk 0.35cvss 5.3epss 0.01
A SQL Injection issue was discovered in Advantech WebAccess/SCADA versions prior to V8.2_20170817. WebAccess/SCADA does not properly sanitize its inputs for SQL commands.
- risk 0.35cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.35cvss 5.3epss 0.02
Advantech WebAccess before 8.1 allows remote attackers to read sensitive cleartext information about e-mail project accounts via unspecified vectors.
- risk 0.33cvss 5.0epss 0.01
Buffer overflow in Advantech WebAccess before 8.1_20160519 allows local users to cause a denial of service via a crafted DLL file.
- CVE-2022-2143Jul 22, 2022risk 0.08cvss —epss 0.59
The affected product is vulnerable to two instances of command injection, which may allow an attacker to remotely execute arbitrary code.
- CVE-2014-2364Jul 19, 2014risk 0.08cvss —epss 0.61
Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9)…
- CVE-2021-21805Aug 5, 2021risk 0.07cvss —epss 0.70
An OS Command Injection vulnerability exists in the ping.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger this vulnerability.
- CVE-2021-21801Jul 16, 2021risk 0.07cvss —epss 0.63
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.
- CVE-2021-21803Jul 16, 2021risk 0.06cvss —epss 0.08
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.
- CVE-2021-21799Jul 16, 2021risk 0.06cvss —epss 0.12
Cross-site scripting vulnerabilities exist in the telnet_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An…
- CVE-2021-22652Feb 11, 2021risk 0.06cvss —epss 0.37
Access to the Advantech iView versions prior to v5.7.03.6112 configuration are missing authentication, which may allow an unauthorized attacker to change the configuration and obtain code execution.
- CVE-2011-0340May 4, 2011risk 0.06cvss —epss 0.32
Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers…
- CVE-2021-21802Jul 16, 2021risk 0.05cvss —epss 0.10
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.
- CVE-2021-21800Jul 16, 2021risk 0.05cvss —epss 0.14
Cross-site scripting vulnerabilities exist in the ssh_form.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An…
- CVE-2014-8387Nov 20, 2014risk 0.05cvss —epss 0.24
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.
- CVE-2014-0763Apr 12, 2014risk 0.05cvss —epss 0.19
An attacker using SQL injection may use arguments to construct queries without proper sanitization. The DBVisitor.dll is exposed through SOAP interfaces, and the exposed functions are vulnerable to SOAP injection. This may allow unexpected SQL action and access to records in…
- CVE-2023-5642Oct 18, 2023risk 0.04cvss —epss 0.17
Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attacker to read from and write to the snmpmon.ini file, which contains sensitive information.
- CVE-2018-15705Oct 31, 2018risk 0.04cvss —epss 0.12
WADashboard API in Advantech WebAccess 8.3.1 and 8.3.2 allows remote authenticated attackers to write or overwrite any file on the filesystem due to a directory traversal vulnerability in the writeFile API. An attacker can use this vulnerability to remotely execute arbitrary…
- CVE-2014-9208Sep 11, 2015risk 0.04cvss —epss 0.09
Multiple stack-based buffer overflows in unspecified DLL files in Advantech WebAccess before 8.0.1 allow remote attackers to execute arbitrary code via unknown vectors.
- CVE-2012-0242Feb 21, 2012risk 0.04cvss —epss 0.07
Format string vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code via format string specifiers in a message string.
- CVE-2011-4041Feb 6, 2012risk 0.04cvss —epss 0.18
webvrpcs.exe in Advantech/BroadWin WebAccess allows remote attackers to execute arbitrary code or obtain a security-code value via a long string in an RPC request to TCP port 4592.
- CVE-2020-12002May 8, 2020risk 0.03cvss —epss 0.09
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple stack-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.
- CVE-2018-15707Oct 31, 2018risk 0.03cvss —epss 0.02
Advantech WebAccess 8.3.1 and 8.3.2 are vulnerable to cross-site scripting in the Bwmainleft.asp page. An attacker could leverage this vulnerability to disclose credentials amongst other things.
- CVE-2014-8386Jan 20, 2015risk 0.03cvss —epss 0.06
Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file.
- CVE-2013-2299Aug 22, 2013risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Advantech WebAccess (formerly BroadWin WebAccess) before 7.1 2013.05.30 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2013-1627Mar 11, 2013risk 0.03cvss —epss 0.03
Absolute path traversal vulnerability in NTWebServer.exe in Indusoft Studio 7.0 and earlier and Advantech Studio 7.0 and earlier allows remote attackers to read arbitrary files via a full pathname in an argument to the sub_401A90 CreateFileW function.
- CVE-2012-0241Feb 21, 2012risk 0.03cvss —epss 0.05
Advantech/BroadWin WebAccess before 7.0 allows remote attackers to cause a denial of service (memory corruption) via a modified stream identifier to a function.
- CVE-2021-21804Jul 16, 2021risk 0.02cvss —epss 0.04
A local file inclusion (LFI) vulnerability exists in the options.php script functionality of Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to arbitrary PHP code execution. An attacker can send a crafted HTTP request to trigger this…
- CVE-2020-10638May 8, 2020risk 0.02cvss —epss 0.07
Advantech WebAccess Node, Version 8.4.4 and prior, Version 9.0.0. Multiple heap-based buffer overflow vulnerabilities exist caused by a lack of proper validation of the length of user-supplied data, which may allow remote code execution.
- CVE-2019-10993Jun 28, 2019risk 0.02cvss —epss 0.11
In WebAccess/SCADA Versions 8.3.5 and prior, multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code.
- CVE-2023-2574May 8, 2023risk 0.01cvss —epss 0.05
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request.
- CVE-2020-16245Aug 25, 2020risk 0.01cvss —epss 0.08
Advantech iView, Versions 5.7 and prior. The affected product is vulnerable to path traversal vulnerabilities that could allow an attacker to create/download arbitrary files, limit system availability, and remotely execute code.
- CVE-2019-3951Dec 12, 2019risk 0.01cvss —epss 0.04
Advantech WebAccess before 8.4.3 allows unauthenticated remote attackers to execute arbitrary code or cause a denial of service (memory corruption) due to a stack-based buffer overflow when handling IOCTL 70533 RPC messages.
- CVE-2019-3975Sep 10, 2019risk 0.01cvss —epss 0.05
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.1 allows a remote, unauthenticated attacker to execute arbitrary code via a crafted IOCTL 70603 RPC message.
Page 2 of 7