Webaccess Nms
CVE-2020-10621
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2).
AnalysisAI
Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Multiple issues exist that allow files to be uploaded and executed on the WebAccess/NMS (versions prior to 3.0.2). Affected products include: Advantech Webaccess\/Nms. Version information: prior to 3.0.2.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
More in Webaccess Nms
View allAn attacker could use a specially crafted URL to delete or read files outside the WebAccess/NMS's (versions prior to 3.0
WebAccess/NMS (versions prior to 3.0.2) allows an unauthenticated remote user to create a new admin account. Rated criti
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versio
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versio
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versio
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versio
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versio
An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) cont
WebAccess/NMS (versions prior to 3.0.2) does not properly sanitize user input and may allow an attacker to inject system
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versio
WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. Rated high severity (CVSS 7.5), this vulnerability
There are multiple ways an unauthenticated attacker could perform SQL injection on WebAccess/NMS (versions prior to 3.0.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today