Advantech created a patch that mitigates a cross-site scripting vulnerability in its WebAccess application.
This remotely exploitable vulnerability, released by independent researcher Sanadi Antu with proof of concept code without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT, ended up released back in January.
Exploits that target this vulnerability are publicly available. Advantech WebAccess 7.0 and prior suffer from the issue.
Successful exploitation will allow a remote authenticated attacker to execute arbitrary HTML code in a user’s browser session in the context of a vulnerable application.
Taiwan-based Advantech has distribution offices in 21 countries worldwide.
Advantech WebAccess, formally known as BroadWin WebAccess, is a Web-based SCADA and human-machine interface (HMI) product used in energy, critical manufacturing, and building automation systems (commercial and government facilities). These systems are in use globally.
In the vulnerability, input sent from a malicious client does not end up properly verified by the server. By sending invalid input through the WebAccess Client interface, an attacker can execute arbitrary HTML and script code in another user’s browser session.
CVE-2013-2299 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
An attacker with a medium skill would be able to exploit this vulnerability.
Users may download the latest version of WebAccess (V 7.1 2013.05.30) at the Advantech website.
Advantech has also created a site to share additional information about WebAccess.