ID
VAR-202004-0078
CVE
CVE-2020-10619
TITLE
WebAccess/NMS Past Traversal Vulnerability in
Trust: 0.8
DESCRIPTION
An attacker could use a specially crafted URL to delete files outside the WebAccess/NMS's (versions prior to 3.0.2) control. WebAccess/NMS Exists in a past traversal vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be put into a state. This vulnerability allows remote attackers to delete arbitary files on affected installations of Advantech WebAccess/NMS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of calls to the saveBackground.action endpoint. When parsing the oldImage parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Advantech WebAccess/NMS is a set of Web browser-based Network Management System (NMS) software package developed by China Taiwan Advantech Corporation. There is a path traversal vulnerability in versions prior to Advantech WebAccess/NMS 3.0.2
Trust: 2.34
AFFECTED PRODUCTS
| vendor: | advantech | model: | webaccess\/nms | scope: | lt | version: | 3.0.2 | Trust: 1.0 |
| vendor: | advantech | model: | webaccess/nms | scope: | eq | version: | 3.0.2 | Trust: 0.8 |
| vendor: | advantech | model: | webaccess/nms | scope: | - | version: | - | Trust: 0.7 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-22 | Trust: 1.9 |
| problemtype: | CWE-23 | Trust: 1.0 |
THREAT TYPE
remote
Trust: 0.6
TYPE
path traversal
Trust: 0.6
CONFIGURATIONS
PATCH
| title: | Top Page | url: | https://www.advantech.com/ | Trust: 0.8 |
| title: | Advantech has issued an update to correct this vulnerability. | url: | https://www.us-cert.gov/ics/advisories/icsa-20-098-01 | Trust: 0.7 |
| title: | Advantech WebAccess/NMS Repair measures for path traversal vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=115610 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2020-10619 | Trust: 3.2 |
| db: | ICS CERT | id: | ICSA-20-098-01 | Trust: 2.5 |
| db: | ZDI | id: | ZDI-20-379 | Trust: 1.3 |
| db: | JVNDB | id: | JVNDB-2020-003802 | Trust: 0.8 |
| db: | ZDI_CAN | id: | ZDI-CAN-9572 | Trust: 0.7 |
| db: | CNNVD | id: | CNNVD-202004-391 | Trust: 0.7 |
| db: | NSFOCUS | id: | 46350 | Trust: 0.6 |
| db: | AUSCERT | id: | ESB-2020.1251 | Trust: 0.6 |
| db: | CNVD | id: | CNVD-2020-22314 | Trust: 0.1 |
| db: | VULHUB | id: | VHN-163115 | Trust: 0.1 |
REFERENCES
| url: | https://www.us-cert.gov/ics/advisories/icsa-20-098-01 | Trust: 3.2 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2020-10619 | Trust: 1.4 |
| url: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10619 | Trust: 0.8 |
| url: | https://www.zerodayinitiative.com/advisories/zdi-20-379/ | Trust: 0.6 |
| url: | http://www.nsfocus.net/vulndb/46350 | Trust: 0.6 |
| url: | https://www.auscert.org.au/bulletins/esb-2020.1251/ | Trust: 0.6 |
CREDITS
rgod of 9sg
Trust: 0.7
SOURCES
| db: | ZDI | id: | ZDI-20-379 |
| db: | VULHUB | id: | VHN-163115 |
| db: | JVNDB | id: | JVNDB-2020-003802 |
| db: | CNNVD | id: | CNNVD-202004-391 |
| db: | NVD | id: | CVE-2020-10619 |
LAST UPDATE DATE
2024-11-23T21:59:22.192000+00:00
SOURCES UPDATE DATE
| db: | ZDI | id: | ZDI-20-379 | date: | 2020-04-08T00:00:00 |
| db: | VULHUB | id: | VHN-163115 | date: | 2020-04-10T00:00:00 |
| db: | JVNDB | id: | JVNDB-2020-003802 | date: | 2020-04-24T00:00:00 |
| db: | CNNVD | id: | CNNVD-202004-391 | date: | 2020-04-14T00:00:00 |
| db: | NVD | id: | CVE-2020-10619 | date: | 2024-11-21T04:55:42.703 |
SOURCES RELEASE DATE
| db: | ZDI | id: | ZDI-20-379 | date: | 2020-04-08T00:00:00 |
| db: | VULHUB | id: | VHN-163115 | date: | 2020-04-09T00:00:00 |
| db: | JVNDB | id: | JVNDB-2020-003802 | date: | 2020-04-24T00:00:00 |
| db: | CNNVD | id: | CNNVD-202004-391 | date: | 2020-04-07T00:00:00 |
| db: | NVD | id: | CVE-2020-10619 | date: | 2020-04-09T14:15:12.573 |