Your one-stop web resource providing safety and security information to manufacturers

Advantech created a new version that mitigates authentication bypass and SQL injection vulnerabilities in its WebAccess product, according to a report with ICS-CERT.

WebAccess Version 8.1 suffers from the remotely exploitable vulnerabilities, discovered by Tenable Network Security working with Trend Micro’s Zero Day Initiative.

VideoInsight Fixes SQL Injection Hole
Carlo Gavazzi Patches Vulnerabilities
OSIsoft Working to Fix Pi Hole
Medical Device Vulnerability Mitigated

Successful exploitation of this authentication bypass vulnerability could allow an attacker to access pages unrestricted; SQL injection condition may allow remote code execution.

To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack could result in administrative access to the application and its data files.

Schneider Bold

CVE-2017-5154 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In the authentication bypass issue, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access pages unrestricted.

CVE-2017-5152 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

No known public exploits specifically target this vulnerability. However, it would take a low skill level from an attacker to exploit the issues.

Advantech has produced WebAccess Version 8.2 that mitigates these vulnerabilities. Click here to download the new version.

Pin It on Pinterest

Share This