Input validation error in Advantech WebAccess - CVE-2014-0773
Published: April 12, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU41832
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-0773
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Advantech Co., Ltd
Affected software:
Advantech WebAccess
Advantech WebAccess
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The CreateProcess method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX control in bwocxrun.ocx in Advantech WebAccess before 7.2 allows remote attackers to execute (1) setup.exe, (2) bwvbprt.exe, and (3) bwvbprtl.exe programs from arbitrary pathnames via a crafted argument, as demonstrated by a UNC share pathname. CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
How to mitigate CVE-2014-0773
Install update from vendor's website.