{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WebAccess", "vendor": "Advantech", "versions": [{"lessThanOrEqual": "7.1", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "7.2"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrea Micalizzi, aka rgod, Tom Gallagher, and an independent anonymous researcher working with HP\u2019s Zero Day Initiative (ZDI)"}], "datePublic": "2014-04-08T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\nAn attacker using SQL injection may use arguments to construct queries \nwithout proper sanitization. The DBVisitor.dll is exposed through SOAP \ninterfaces, and the exposed functions are vulnerable to SOAP injection. \nThis may allow unexpected SQL action and access to records in the table \nof the software database or execution of arbitrary code.\n\n</p>"}], "value": "An attacker using SQL injection may use arguments to construct queries \nwithout proper sanitization. The DBVisitor.dll is exposed through SOAP \ninterfaces, and the exposed functions are vulnerable to SOAP injection. \nThis may allow unexpected SQL action and access to records in the table \nof the software database or execution of arbitrary code."}], "metrics": [{"cvssV2_0": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-09-19T19:06:29.062Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03"}, {"name": "66740", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/66740"}, {"url": "http://webaccess.advantech.com/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Advantech has created a new version (Version 7.2) that mitigates each\n of the vulnerabilities described above. Users may download this version\n from the following location at their web site:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"http://webaccess.advantech.com/downloads.php?item=software\">http://webaccess.advantech.com/downloads.php?item=software</a></p><p>For additional information about WebAccess, please visit the following Advantech web site:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"http://webaccess.advantech.com/\">http://webaccess.advantech.com/</a></p>\n\n<br>"}], "value": "Advantech has created a new version (Version 7.2) that mitigates each\n of the vulnerabilities described above. Users may download this version\n from the following location at their web site:\u00a0 http://webaccess.advantech.com/downloads.php?item=software \n\nFor additional information about WebAccess, please visit the following Advantech web site:\u00a0 http://webaccess.advantech.com/"}], "source": {"advisory": "ICSA-14-079-03", "discovery": "EXTERNAL"}, "title": "Advantech WebAccess SQL Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2014-0763", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple SQL injection vulnerabilities in DBVisitor.dll in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary SQL commands via SOAP requests to unspecified functions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03", "refsource": "MISC", "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"}, {"name": "66740", "refsource": "BID", "url": "http://www.securityfocus.com/bid/66740"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:27:19.483Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"}, {"name": "66740", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/66740"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-0763", "datePublished": "2014-04-12T01:00:00", "dateReserved": "2014-01-02T00:00:00", "dateUpdated": "2025-09-19T19:06:29.062Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:advantech:advantech_webaccess:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D097D1E-9A02-40B0-93BD-163A11638118", "versionEndIncluding": "7.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:advantech:advantech_webaccess:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "090C819C-5964-4158-80E6-2D4751A5E8BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:advantech:advantech_webaccess:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "7CF61F9C-360A-4B70-951D-8EE9CF6E55FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:advantech:advantech_webaccess:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "1082E1D5-AF49-431F-9172-98C2D2887C96", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker using SQL injection may use arguments to construct queries \nwithout proper sanitization. The DBVisitor.dll is exposed through SOAP \ninterfaces, and the exposed functions are vulnerable to SOAP injection. \nThis may allow unexpected SQL action and access to records in the table \nof the software database or execution of arbitrary code."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en DBVisitor.dll en Advantech WebAccess anterior a 7.2 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de solicitudes SOAP hacia funciones no especificadas."}], "id": "CVE-2014-0763", "lastModified": "2025-09-19T19:15:37.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "ics-cert@hq.dhs.gov", "type": "Secondary", "userInteractionRequired": false}, {"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-04-12T04:37:31.440", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "http://webaccess.advantech.com/"}, {"source": "ics-cert@hq.dhs.gov", "url": "http://www.securityfocus.com/bid/66740"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/66740"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}