Advantech created a new version that mitigates authentication bypass and SQL injection vulnerabilities in its WebAccess product, according to a report with ICS-CERT.
WebAccess Version 8.1 suffers from the remotely exploitable vulnerabilities, discovered by Tenable Network Security working with Trend Micro’s Zero Day Initiative.
Successful exploitation of this authentication bypass vulnerability could allow an attacker to access pages unrestricted; SQL injection condition may allow remote code execution.
To be able to exploit the SQL injection vulnerability, an attacker must supply malformed input to the WebAccess software. Successful attack could result in administrative access to the application and its data files.
CVE-2017-5154 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In the authentication bypass issue, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access pages unrestricted.
CVE-2017-5152 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.
No known public exploits specifically target this vulnerability. However, it would take a low skill level from an attacker to exploit the issues.
Advantech has produced WebAccess Version 8.2 that mitigates these vulnerabilities. Click here to download the new version.