Sign-up

ID

VAR-201902-0124


CVE

CVE-2019-6523


TITLE

WebAccess/SCADA In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-001598

DESCRIPTION

WebAccess/SCADA, Version 8.3. The software does not properly sanitize its inputs for SQL commands. WebAccess/SCADA Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Advantech WebAccess/SCADA is a set of browser-based SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. A SQL injection vulnerability exists in Advantech WebAccess/SCADA version 8.3. A remote attacker can exploit the vulnerability to execute SQL commands by sending a specially crafted request. Advantech WebAccess/SCADA is prone to the following vulnerabilities: 1. Multiple authentication-bypass vulnerabilities 2. An SQL-injection vulnerability An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions, modify the logic of SQL queries, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database

Trust: 2.79

sources: NVD: CVE-2019-6523 // JVNDB: JVNDB-2019-001598 // CNVD: CNVD-2019-03260 // BID: 106722 // IVD: 7d85de81-463f-11e9-a845-000c29342cb1 // VULHUB: VHN-157958 // VULMON: CVE-2019-6523

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 7d85de81-463f-11e9-a845-000c29342cb1 // CNVD: CNVD-2019-03260

AFFECTED PRODUCTS

vendor:advantechmodel:webaccess/scadascope:eqversion:8.3

Trust: 1.7

vendor:advantechmodel:webaccess\/scadascope:eqversion:8.3

Trust: 1.0

vendor:advantechmodel:webaccess/scadascope:eqversion:8.3.4

Trust: 0.3

vendor:advantechmodel:webaccess/scadascope:eqversion:8.3.2

Trust: 0.3

vendor:advantechmodel:webaccess/scadascope:neversion:8.3.5

Trust: 0.3

vendor:webaccess scadamodel: - scope:eqversion:8.3

Trust: 0.2

sources: IVD: 7d85de81-463f-11e9-a845-000c29342cb1 // CNVD: CNVD-2019-03260 // BID: 106722 // JVNDB: JVNDB-2019-001598 // NVD: CVE-2019-6523

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6523
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-6523
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2019-03260
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201901-890
value: CRITICAL

Trust: 0.6

IVD: 7d85de81-463f-11e9-a845-000c29342cb1
value: CRITICAL

Trust: 0.2

VULHUB: VHN-157958
value: HIGH

Trust: 0.1

VULMON: CVE-2019-6523
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-6523
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-03260
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d85de81-463f-11e9-a845-000c29342cb1
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-157958
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-6523
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: IVD: 7d85de81-463f-11e9-a845-000c29342cb1 // CNVD: CNVD-2019-03260 // VULHUB: VHN-157958 // VULMON: CVE-2019-6523 // JVNDB: JVNDB-2019-001598 // CNNVD: CNNVD-201901-890 // NVD: CVE-2019-6523

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.9

sources: VULHUB: VHN-157958 // JVNDB: JVNDB-2019-001598 // NVD: CVE-2019-6523

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-890

TYPE

SQL injection

Trust: 0.8

sources: IVD: 7d85de81-463f-11e9-a845-000c29342cb1 // CNNVD: CNNVD-201901-890

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-001598

PATCH
title:Top Pageurl:https://www.advantech.com/
Trust: 0.8
title:Patch for Advantech WebAccess/SCADA SQL Injection Vulnerability (CNVD-2019-03260)url:https://www.cnvd.org.cn/patchInfo/show/151743
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-03260 // 
            
            
            
            JVNDB: JVNDB-2019-001598

EXTERNAL IDS
db:NVDid:CVE-2019-6523
Trust: 3.7
db:ICS CERTid:ICSA-19-024-01
Trust: 3.5
db:BIDid:106722
Trust: 2.1
db:CNNVDid:CNNVD-201901-890
Trust: 0.9
db:CNVDid:CNVD-2019-03260
Trust: 0.8
db:JVNDBid:JVNDB-2019-001598
Trust: 0.8
db:ICS CERTid:ICSA-19-024-01T
Trust: 0.6
db:IVDid:7D85DE81-463F-11E9-A845-000C29342CB1
Trust: 0.2
db:VULHUBid:VHN-157958
Trust: 0.1
db:VULMONid:CVE-2019-6523
Trust: 0.1
sources:
            
            
            IVD: 7d85de81-463f-11e9-a845-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2019-03260 // 
            
            
            
            VULHUB: VHN-157958 // 
            
            
            
            VULMON: CVE-2019-6523 // 
            
            
            
            BID: 106722 // 
            
            
            
            JVNDB: JVNDB-2019-001598 // 
            
            
            
            CNNVD: CNNVD-201901-890 // 
            
            
            
            NVD: CVE-2019-6523

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-19-024-01
Trust: 3.6
url:http://www.securityfocus.com/bid/106722
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-6523
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6523
Trust: 0.8
url:https://ics-cert.us-cert.gov/advisories/icsa-19-024-01third party advisoryus government resource
Trust: 0.6
url:http://www.securityfocus.com/bid/106722third party advisoryvdb entry
Trust: 0.6
url:https://www.advantech.com/
Trust: 0.3
url:https://support.advantech.com/support/downloadsrdetail_new.aspx?sr_id=1-ms9mjv&doc_source=download
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/89.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-03260 // 
            
            
            
            VULHUB: VHN-157958 // 
            
            
            
            VULMON: CVE-2019-6523 // 
            
            
            
            BID: 106722 // 
            
            
            
            JVNDB: JVNDB-2019-001598 // 
            
            
            
            CNNVD: CNNVD-201901-890 // 
            
            
            
            NVD: CVE-2019-6523

CREDITS
Devesh Logendran from Attila Cybertech Pte. Ltd.
Trust: 0.9
sources:
            
            
            BID: 106722 // 
            
            
            
            CNNVD: CNNVD-201901-890

SOURCES
db:IVDid:7d85de81-463f-11e9-a845-000c29342cb1
db:CNVDid:CNVD-2019-03260
db:VULHUBid:VHN-157958
db:VULMONid:CVE-2019-6523
db:BIDid:106722
db:JVNDBid:JVNDB-2019-001598
db:CNNVDid:CNNVD-201901-890
db:NVDid:CVE-2019-6523

LAST UPDATE DATE
2024-08-14T14:32:47.495000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-03260date:2019-01-30T00:00:00
db:VULHUBid:VHN-157958date:2019-02-06T00:00:00
db:VULMONid:CVE-2019-6523date:2019-02-06T00:00:00
db:BIDid:106722date:2019-01-24T00:00:00
db:JVNDBid:JVNDB-2019-001598date:2019-03-15T00:00:00
db:CNNVDid:CNNVD-201901-890date:2019-04-01T00:00:00
db:NVDid:CVE-2019-6523date:2019-02-06T16:43:04.660

SOURCES RELEASE DATE
db:IVDid:7d85de81-463f-11e9-a845-000c29342cb1date:2019-01-30T00:00:00
db:CNVDid:CNVD-2019-03260date:2019-01-28T00:00:00
db:VULHUBid:VHN-157958date:2019-02-05T00:00:00
db:VULMONid:CVE-2019-6523date:2019-02-05T00:00:00
db:BIDid:106722date:2019-01-24T00:00:00
db:JVNDBid:JVNDB-2019-001598date:2019-03-15T00:00:00
db:CNNVDid:CNNVD-201901-890date:2019-01-25T00:00:00
db:NVDid:CVE-2019-6523date:2019-02-05T21:29:00.863