Vulnerability Details : CVE-2014-0763
Public exploit exists!
Multiple SQL injection vulnerabilities in DBVisitor.dll in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary SQL commands via SOAP requests to unspecified functions.
Vulnerability category: Sql Injection
Exploit prediction scoring system (EPSS) score for CVE-2014-0763
Probability of exploitation activity in the next 30 days: 0.85%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 82 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2014-0763
-
Advantech WebAccess DBVisitor.dll ChartThemeConfig SQL Injection
Disclosure Date: 2014-04-08First seen: 2020-04-26auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqliThis module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The vulnerability exists in the DBVisitor.dll component, and can be abused through malicious requests to the ChartThemeConfig web service. This module can be used to extract the site
CVSS scores for CVE-2014-0763
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-0763
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0763
-
http://www.securityfocus.com/bid/66740
Advantech WebAccess CVE-2014-0763 SQL Injection Vulnerability
-
http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03
US Government Resource
Products affected by CVE-2014-0763
- cpe:2.3:a:advantech:advantech_webaccess:*:*:*:*:*:*:*:*
- cpe:2.3:a:advantech:advantech_webaccess:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:advantech:advantech_webaccess:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:advantech:advantech_webaccess:7.0:*:*:*:*:*:*:*