Filtered by vendor Advantech
Subscriptions
Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-34241 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2025-34240 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 6.5 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information. | ||||
| CVE-2025-34236 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 5.4 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2025-34237 | 1 Advantech | 2 Webaccess/vpn, Webaccess\/vpn | 2025-11-28 | 5.4 Medium |
| Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. | ||||
| CVE-2022-50591 | 1 Advantech | 1 Iview | 2025-11-24 | 9.8 Critical |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_config_id’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords. | ||||
| CVE-2022-50592 | 1 Advantech | 1 Iview | 2025-11-24 | 7.2 High |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘getInventoryReportData’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges. | ||||
| CVE-2022-50594 | 1 Advantech | 1 Iview | 2025-11-24 | 7.5 High |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘data’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for the exfiltration of user data, included clear text passwords. | ||||
| CVE-2022-50595 | 1 Advantech | 1 Iview | 2025-11-24 | 7.2 High |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘ztp_search_value’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges. | ||||
| CVE-2025-64302 | 1 Advantech | 2 Deviceon/iedge, Deviceon\/iedge | 2025-11-19 | 6.4 Medium |
| Insufficient input sanitization in the dashboard label or path can allow an attacker to trigger a device error causing information disclosure or data manipulation. | ||||
| CVE-2025-62630 | 1 Advantech | 2 Deviceon/iedge, Deviceon\/iedge | 2025-11-19 | 8.8 High |
| Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. | ||||
| CVE-2025-59171 | 1 Advantech | 2 Deviceon/iedge, Deviceon\/iedge | 2025-11-19 | 7.5 High |
| Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. | ||||
| CVE-2025-63701 | 1 Advantech | 1 Tp-3250 | 2025-11-18 | 6.8 Medium |
| A heap corruption vulnerability exists in the Advantech TP-3250 printer driver's DrvUI_x64_ADVANTECH.dll (v0.3.9200.20789) when DocumentPropertiesW() is called with a valid dmDriverExtra value but an undersized output buffer. The driver incorrectly assumes the output buffer size matches the input buffer size, leading to invalid memory operations and heap corruption. This vulnerability can cause denial of service through application crashes and potentially lead to code execution in user space. Local access is required to exploit this vulnerability. | ||||
| CVE-2022-50593 | 1 Advantech | 1 Iview | 2025-11-15 | N/A |
| Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection vulnerability within the ‘search_term’ parameter to the ‘NetworkServlet’ endpoint. Successful exploitation allows for remote code execution with administrator privileges. | ||||
| CVE-2014-2368 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | N/A |
| The BrowseFolder method in the bwocxrun ActiveX control in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call. | ||||
| CVE-2014-2367 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | N/A |
| The ChkCookie subroutine in an ActiveX control in broadweb/include/gChkCook.asp in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a crafted call. | ||||
| CVE-2014-2366 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | N/A |
| upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code. | ||||
| CVE-2014-2365 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | N/A |
| Unspecified vulnerability in Advantech WebAccess before 7.2 allows remote authenticated users to create or delete arbitrary files via unknown vectors. | ||||
| CVE-2014-2364 | 1 Advantech | 1 Advantech Webaccess | 2025-10-06 | N/A |
| Multiple stack-based buffer overflows in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary code via a long string in the (1) ProjectName, (2) SetParameter, (3) NodeName, (4) CCDParameter, (5) SetColor, (6) AlarmImage, (7) GetParameter, (8) GetColor, (9) ServerResponse, (10) SetBaud, or (11) IPAddress parameter to an ActiveX control in (a) webvact.ocx, (b) dvs.ocx, or (c) webdact.ocx. | ||||
| CVE-2014-0773 | 1 Advantech | 1 Advantech Webaccess | 2025-09-19 | N/A |
| The BWOCXRUN.BwocxrunCtrl.1 control contains a method named “CreateProcess.” This method contains validation to ensure an attacker cannot run arbitrary command lines. After validation, the values supplied in the HTML are passed to the Windows CreateProcessA API. The validation can be bypassed allowing for running arbitrary command lines. The command line can specify running remote files (example: UNC command line). A function exists at offset 100019B0 of bwocxrun.ocx. Inside this function, there are 3 calls to strstr to check the contents of the user specified command line. If “\setup.exe,” “\bwvbprt.exe,” or “\bwvbprtl.exe” are contained in the command line (strstr returns nonzero value), the command line passes validation and is then passed to CreateProcessA. | ||||
| CVE-2014-0772 | 1 Advantech | 1 Advantech Webaccess | 2025-09-19 | N/A |
| The BWOCXRUN.BwocxrunCtrl.1 control contains a method named OpenUrlToBufferTimeout. This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows file:// URLs that access the local disk. The method can be used to open a URL (including file URLs) and read the URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access. | ||||