The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Multiple vulnerabilities could allow an attacker with low privileges to perform SQL injection to gain access to sensitive information.
An attacker could use a specially crafted URL to delete or read files outside the application’s control.
The application allows an unauthenticated remote user to create a new admin account.
The application does not sanitize XML input. Specially crafted XML input could allow an attacker to read sensitive files.
The application does not properly sanitize user input and may allow an attacker to inject system commands remotely.
WebAccess/NMS versions prior to 3.0.2
Advantech recommends updating to Version 3.0.2