Advantech WebAccess Bug Reported

Thursday, January 10, 2013 @ 06:01 PM gHale


There is a public report of a cross-site scripting vulnerability with proof-of-concept (PoC) exploit code affecting Advantech WebAccess, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product, according to a report on ICS-CERT.

This cross-site scripting vulnerability could allow a remote authenticated attacker to execute arbitrary code in a user’s browser session, according to the report.

RELATED STORIES
GE Updates HMI/SCADA Bug
Advantech Vulnerability Released
Control System Malware Alert
Downtime: Utility Suffers Virus

ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cyber security attacks.

This report ended up released by Antu Sanadi of SecPod Technologies without successful coordination of the vendor.

If executed the vulnerability could allow the attacker to execute unauthorized code; bypass protection mechanisms and read application data.

This is the second report coming out about Advantech in just over a week.

The other report was a directory traversal vulnerability with proof-of-concept (PoC) exploit code affecting the Advantech Studio Web server, also a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product.

This report, released by Nin3 without coordination with the vendor or ICS-CERT, talks about a directory traversal vulnerability that could occur when a specially crafted request is passed to the Web server.



Leave a Reply

You must be logged in to post a comment.