Buffer Overflow vulnerability in Advantech WebAccess

Overview :
In WebAccess versions 8.4.1 and prior, multiple stack based buffer overflow vulnerabilities are detected by a lack of proper validation of the length of user given data. Exploitation of these vulnerabilities will allow remote code execution.
Affected Product(s) :
WebAccess versions 8.4.1
Vulnerability Details :
Code Injection, Command Injection, Stack-based Buffer Overflow, Improper Authorization
CVE ID : CVE-2019-13558
A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash.
CVE ID : CVE-2019-13556
A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.
CVE ID : CVE-2019-13552
A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.
CVE ID : CVE-2019-13550
A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An improper authorization vulnerability may allow an attacker to disclose sensitive information, cause improper control of generation of code, which may allow remote code execution or cause a system crash.

Solution : Advantech has released Version 8.4.2 of WebAccessNode to address the reported vulnerabilities. Users can download the latest version of WebAccessNode.

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-40265 : MITSUBISHI ELECTRIC MELSEC IQ-R PACKETS DENIAL OF SERVICE

CVE-2022-40265 : MITSUBISHI ELECTRIC MELSEC IQ-R PACKETS DENIAL OF SERVICE

Description Improper Input Validation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series RJ71EN71 Firmware version “65” and prior and Mitsubishi

CVE-2022-44400 : ORETNOM23 PURCHASE ORDER MANAGEMENT SYSTEM 1.0 UNRESTRICTED UPLOAD

CVE-2022-44400 : ORETNOM23 PURCHASE ORDER MANAGEMENT SYSTEM 1.0 UNRESTRICTED UPLOAD

Description Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info. References https://github.com/lcg-22266/bug_report/blob/main/vendors/oretnom23/Purchase%20Order%20Management%20System/UPLOAD-1.md For More Information MITRE

CVE-2022-45919 : LINUX KERNEL UP TO 6.0.10/0221.C DVB_CA_EN50221.C DVB_CA_EN50221_IO_RELEASE USE AFTER FREE

CVE-2022-45919 : LINUX KERNEL UP TO 6.0.10/0221.C DVB_CA_EN50221.C DVB_CA_EN50221_IO_RELEASE USE AFTER FREE

Description An issue was discovered in the Linux kernel through 6.0.10. In drivers/media/dvb-core/dvb_ca_en50221.c, a use-after-free can occur is there is