Advantech WebAccess upAdminPg Information Disclosure Vulnerability

Vulnerability Details

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Advantech WebAccess. Authentication is required to exploit this vulnerability.

The specific flaw exists within upAdminPg.asp. One project administrator can view other project administrators' passwords along with the system administrator's password. An attacker can leverage this vulnerability to escalate privileges within the system.

Additional Details

Advantech has issued an update to correct this vulnerability. More details can be found at:
https://ics-cert.us-cert.gov/advisories/ICSA-16-173-01

Disclosure Timeline

• 2016-05-11 - Vulnerability reported to vendor
• 2016-07-18 - Coordinated public release of advisory

Credit

Zhou Yu

Back to Advisories