Sign-up

ID

VAR-201301-0475


TITLE

Advantech WebAccess HMI/SCADA HTML Injection Vulnerability

Trust: 1.5

sources: CNVD: CNVD-2013-00145 // BID: 57178 // CNNVD: CNNVD-201301-092

DESCRIPTION

Advantech Advantech specializes in network computer and network automation, providing more than 450 products including industrial data acquisition, automation software, computer platforms, Advantech industrial computers, computer motherboards and accessories. Advantech/BroadWin SCADA WebAccess is a fully browser-based Human Machine Interface (HMI) and Monitoring and Data Acquisition (SCADA) software. There is an HTML injection vulnerability in Advantech WebAccess HMI/SCADA. Because the program fails to properly filter user-supplied input, an attacker can exploit the vulnerability to execute HTML or JavaScript code in the context of the affected site, stealing cookie-based authentication credentials and controlling how the site is presented to the user. Advantech WebAccess HMI/SCADA is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Advantech WebAccess HMI/SCADA 7.0-2012.12.05 is vulnerable; other versions may also be affected. 450 Products. Advantech WebAccess HMI/SCADA presence HTML Inject holes

Trust: 0.99

sources: CNVD: CNVD-2013-00145 // BID: 57178 // IVD: 855e41a4-1f43-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 855e41a4-1f43-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-00145

AFFECTED PRODUCTS

vendor:advantechmodel:webaccess hmi/scadascope:eqversion:7.0-2012.12.05

Trust: 0.8

sources: IVD: 855e41a4-1f43-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-00145

CVSS

SEVERITY

CVSSV2

CVSSV3

IVD: 855e41a4-1f43-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: 855e41a4-1f43-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0 [IVD]

Trust: 0.2

sources: IVD: 855e41a4-1f43-11e6-abef-000c29c66e3d

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201301-092

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201301-092

EXTERNAL IDS

db:BIDid:57178

Trust: 1.5

db:CNVDid:CNVD-2013-00145

Trust: 0.8

db:CNNVDid:CNNVD-201301-092

Trust: 0.6

db:IVDid:855E41A4-1F43-11E6-ABEF-000C29C66E3D

Trust: 0.2

sources: IVD: 855e41a4-1f43-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-00145 // BID: 57178 // CNNVD: CNNVD-201301-092

REFERENCES

url:http://www.securityfocus.com/bid/57178

Trust: 1.2

url:http://secpod.org/blog/?p=569

Trust: 0.3

url:http://secpod.org/advisories/secpod_advantech_webaccess_stored_xss_vuln.txt

Trust: 0.3

url:http://webaccess.advantech.com

Trust: 0.3

sources: CNVD: CNVD-2013-00145 // BID: 57178 // CNNVD: CNNVD-201301-092

CREDITS

Antu Sanadi

Trust: 0.9

sources: BID: 57178 // CNNVD: CNNVD-201301-092

SOURCES

db:IVDid:855e41a4-1f43-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-00145
db:BIDid:57178
db:CNNVDid:CNNVD-201301-092

LAST UPDATE DATE

2022-05-17T01:45:25.974000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2013-00145date:2013-01-10T00:00:00
db:BIDid:57178date:2013-01-08T00:00:00
db:CNNVDid:CNNVD-201301-092date:2013-01-09T00:00:00

SOURCES RELEASE DATE

db:IVDid:855e41a4-1f43-11e6-abef-000c29c66e3ddate:2013-01-10T00:00:00
db:CNVDid:CNVD-2013-00145date:2013-01-10T00:00:00
db:BIDid:57178date:2013-01-08T00:00:00
db:CNNVDid:CNNVD-201301-092date:2013-01-09T00:00:00