Lucene search

IcscertCVELIST:CVE-2023-2866

HistoryJun 07, 2023 - 8:12 p.m.

CVE-2023-2866 Advantech WebAccess Insufficient Type Distinction

2023-06-0720:12:46

CWE-351

icscert

www.cve.org

cve-2023-2866

advantech

webaccess

insufficient type distinction

scada

server

vulnerability

maliciously crafted

zip file

web shell

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

23.1%

JSON

If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "WebAccess/SCADA",
    "vendor": "Advantech",
    "versions": [
      {
        "status": "affected",
        "version": "8.4.5"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-150-01

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

23.1%

JSON

Related for CVELIST:CVE-2023-2866