There is a patch available for a path traversal vulnerability in the Ecava IntegraXor application.
Ecava mitigated the vulnerability and the researchers that found the issue, Billy Rios and Terry McCorkle, have validated the patch fixes this vulnerability.
IntegraXor versions older than Version 3.71.4200 suffer from the issue, according to a report on ICS-CERT.
Exploitation of this vulnerability could result in file manipulation or arbitrary code execution.
Ecava Sdn Bhd is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava specializes in factory and process automation solutions and IntegraXor is a suite of tools used to create and run a web-based human-machine interface for a SCADA system.
IntegraXor currently sees use in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
A path traversal vulnerability can occur when a specially crafted HTML document opens on the Ecava IntegraXor server. Successful exploitation could allow file manipulation or arbitrary code execution. This vulnerability is only exploitable while using Internet Explorer due to the proprietary Active X component. No other web browsers suffer from the issue. CVE-2012-0246 is the number assigned to this vulnerability. The vulnerability has a CVSS V2 base score of 4.3.
Ecava users can download and install an update from their website.