Vulnerability-Lookup

VAR-201404-0538

Vulnerability from variot - Updated: 2025-09-20 23:16

An attacker using SQL injection may use arguments to construct queries without proper sanitization. The DBVisitor.dll is exposed through SOAP interfaces, and the exposed functions are vulnerable to SOAP injection. This may allow unexpected SQL action and access to records in the table of the software database or execution of arbitrary code. Advantech WebAccess of DBVisitor.dll Is SQL An injection vulnerability exists.Third party to unspecified functions SOAP Any via request SQL The command may be executed. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DBVisitor.dll component. These flaws allow an attacker to execute arbitrary SQL statements in the context of the web service and to exfiltrate data (including the account names and password hashes) from the vulnerable product. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. There is a SQL injection vulnerability in Advantech WebAccess. Because the SOAP interface exposes DBVisitor.dll, it allows an attacker to exploit a vulnerability to submit a specially crafted SOAP request, inject or manipulate a SQL query, and obtain sensitive sensitive information or manipulate the database. Advantech WebAccess is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, to access or modify data, or to exploit vulnerabilities in the underlying database. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment

Show details on source website

JSON

To clipboard

{
  "affected_products": {
    "_id": null,
    "data": [
      {
        "_id": null,
        "model": "webaccess",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "advantech",
        "version": "5.0"
      },
      {
        "_id": null,
        "model": "webaccess",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "advantech",
        "version": "7.0"
      },
      {
        "_id": null,
        "model": "webaccess",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "advantech",
        "version": "6.0"
      },
      {
        "_id": null,
        "model": "webaccess",
        "scope": "eq",
        "trust": 1.2,
        "vendor": "advantech",
        "version": "7.1"
      },
      {
        "_id": null,
        "model": "webaccess",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "advantech",
        "version": "7.1"
      },
      {
        "_id": null,
        "model": "webaccess",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "advantech",
        "version": "7.2"
      },
      {
        "_id": null,
        "model": "webaccess",
        "scope": null,
        "trust": 0.7,
        "vendor": "advantech",
        "version": null
      },
      {
        "_id": null,
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "advantech webaccess",
        "version": "5.0"
      },
      {
        "_id": null,
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "advantech webaccess",
        "version": "6.0"
      },
      {
        "_id": null,
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "advantech webaccess",
        "version": "7.0"
      },
      {
        "_id": null,
        "model": null,
        "scope": "eq",
        "trust": 0.4,
        "vendor": "advantech webaccess",
        "version": "*"
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d"
      },
      {
        "db": "ZDI",
        "id": "ZDI-14-077"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201404-169"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-0763"
      }
    ]
  },
  "configurations": {
    "_id": null,
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:advantech:advantech_webaccess",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      }
    ]
  },
  "credits": {
    "_id": null,
    "data": "Andrea Micalizzi aka rgod",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-14-077"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2014-0763",
  "cvss": {
    "_id": null,
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "ics-cert@hq.dhs.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2014-0763",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 3.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2014-02243",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "IVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "1654b8d4-2352-11e6-abef-000c29c66e3d",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.2,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.9 [IVD]"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "VHN-68256",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "ics-cert@hq.dhs.gov",
            "id": "CVE-2014-0763",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2014-0763",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2014-0763",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "ZDI",
            "id": "CVE-2014-0763",
            "trust": 0.7,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2014-02243",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201404-169",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d",
            "trust": 0.2,
            "value": "HIGH"
          },
          {
            "author": "IVD",
            "id": "1654b8d4-2352-11e6-abef-000c29c66e3d",
            "trust": 0.2,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-68256",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d"
      },
      {
        "db": "ZDI",
        "id": "ZDI-14-077"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243"
      },
      {
        "db": "VULHUB",
        "id": "VHN-68256"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201404-169"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-0763"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-0763"
      }
    ]
  },
  "description": {
    "_id": null,
    "data": "An attacker using SQL injection may use arguments to construct queries \nwithout proper sanitization. The DBVisitor.dll is exposed through SOAP \ninterfaces, and the exposed functions are vulnerable to SOAP injection. \nThis may allow unexpected SQL action and access to records in the table \nof the software database or execution of arbitrary code. Advantech WebAccess of DBVisitor.dll Is SQL An injection vulnerability exists.Third party to unspecified functions SOAP Any via request SQL The command may be executed. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DBVisitor.dll component. These flaws allow an attacker to execute arbitrary SQL statements in the context of the web service and to exfiltrate data (including the account names and password hashes) from the vulnerable product. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. There is a SQL injection vulnerability in Advantech WebAccess. Because the SOAP interface exposes DBVisitor.dll, it allows an attacker to exploit a vulnerability to submit a specially crafted SOAP request, inject or manipulate a SQL query, and obtain sensitive sensitive information or manipulate the database. Advantech WebAccess is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. \nA successful exploit could allow an attacker to compromise the application, to access or modify data, or to exploit vulnerabilities in the underlying database. \nAdvantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2014-0763"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      },
      {
        "db": "ZDI",
        "id": "ZDI-14-077"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243"
      },
      {
        "db": "BID",
        "id": "66740"
      },
      {
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d"
      },
      {
        "db": "VULHUB",
        "id": "VHN-68256"
      }
    ],
    "trust": 3.51
  },
  "external_ids": {
    "_id": null,
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2014-0763",
        "trust": 4.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-14-079-03",
        "trust": 3.1
      },
      {
        "db": "BID",
        "id": "66740",
        "trust": 2.0
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243",
        "trust": 1.0
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201404-169",
        "trust": 1.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-1938",
        "trust": 0.7
      },
      {
        "db": "ZDI",
        "id": "ZDI-14-077",
        "trust": 0.7
      },
      {
        "db": "OSVDB",
        "id": "105572",
        "trust": 0.6
      },
      {
        "db": "SECUNIA",
        "id": "57873",
        "trust": 0.6
      },
      {
        "db": "IVD",
        "id": "0AD07D9E-1EDF-11E6-ABEF-000C29C66E3D",
        "trust": 0.2
      },
      {
        "db": "IVD",
        "id": "1654B8D4-2352-11E6-ABEF-000C29C66E3D",
        "trust": 0.2
      },
      {
        "db": "VULHUB",
        "id": "VHN-68256",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d"
      },
      {
        "db": "ZDI",
        "id": "ZDI-14-077"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243"
      },
      {
        "db": "VULHUB",
        "id": "VHN-68256"
      },
      {
        "db": "BID",
        "id": "66740"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201404-169"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-0763"
      }
    ]
  },
  "id": "VAR-201404-0538",
  "iot": {
    "_id": null,
    "data": true,
    "sources": [
      {
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243"
      },
      {
        "db": "VULHUB",
        "id": "VHN-68256"
      }
    ],
    "trust": 1.53470696
  },
  "iot_taxonomy": {
    "_id": null,
    "data": [
      {
        "category": [
          "ICS"
        ],
        "sub_category": null,
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243"
      }
    ]
  },
  "last_update_date": "2025-09-20T23:16:55.175000Z",
  "patch": {
    "_id": null,
    "data": [
      {
        "title": "Downloads ::: WebAccess Software",
        "trust": 0.8,
        "url": "http://webaccess.advantech.com/downloads.php?item=software"
      },
      {
        "title": "Advantech WebAccess",
        "trust": 0.8,
        "url": "http://www.advantech.co.jp/products/GF-1M94V/Advantech-WebAccess/mod_B975C492-56B3-4EBA-8BBB-5B6D3483EE9D.aspx"
      },
      {
        "title": "Advantech has issued an update to correct this vulnerability.",
        "trust": 0.7,
        "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"
      },
      {
        "title": "Advantech WebAccess DBVisitor.dll special SOAP request SQL injection vulnerability patch",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchInfo/show/44778"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-14-077"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      }
    ]
  },
  "problemtype_data": {
    "_id": null,
    "data": [
      {
        "problemtype": "CWE-89",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-68256"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-0763"
      }
    ]
  },
  "references": {
    "_id": null,
    "data": [
      {
        "trust": 3.8,
        "url": "http://ics-cert.us-cert.gov/advisories/icsa-14-079-03"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/bid/66740"
      },
      {
        "trust": 1.0,
        "url": "http://webaccess.advantech.com/"
      },
      {
        "trust": 1.0,
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0763"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0763"
      },
      {
        "trust": 0.6,
        "url": "http://osvdb.com/show/osvdb/105572"
      },
      {
        "trust": 0.6,
        "url": "http://secunia.com/advisories/57873"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-14-077"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243"
      },
      {
        "db": "VULHUB",
        "id": "VHN-68256"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201404-169"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      },
      {
        "db": "NVD",
        "id": "CVE-2014-0763"
      }
    ]
  },
  "sources": {
    "_id": null,
    "data": [
      {
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d",
        "ident": null
      },
      {
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d",
        "ident": null
      },
      {
        "db": "ZDI",
        "id": "ZDI-14-077",
        "ident": null
      },
      {
        "db": "CNVD",
        "id": "CNVD-2014-02243",
        "ident": null
      },
      {
        "db": "VULHUB",
        "id": "VHN-68256",
        "ident": null
      },
      {
        "db": "BID",
        "id": "66740",
        "ident": null
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201404-169",
        "ident": null
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974",
        "ident": null
      },
      {
        "db": "NVD",
        "id": "CVE-2014-0763",
        "ident": null
      }
    ]
  },
  "sources_release_date": {
    "_id": null,
    "data": [
      {
        "date": "2014-04-11T00:00:00",
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d",
        "ident": null
      },
      {
        "date": "2014-04-11T00:00:00",
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d",
        "ident": null
      },
      {
        "date": "2014-04-10T00:00:00",
        "db": "ZDI",
        "id": "ZDI-14-077",
        "ident": null
      },
      {
        "date": "2014-04-11T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2014-02243",
        "ident": null
      },
      {
        "date": "2014-04-12T00:00:00",
        "db": "VULHUB",
        "id": "VHN-68256",
        "ident": null
      },
      {
        "date": "2014-04-08T00:00:00",
        "db": "BID",
        "id": "66740",
        "ident": null
      },
      {
        "date": "2014-04-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201404-169",
        "ident": null
      },
      {
        "date": "2014-04-15T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-001974",
        "ident": null
      },
      {
        "date": "2014-04-12T04:37:31.440000",
        "db": "NVD",
        "id": "CVE-2014-0763",
        "ident": null
      }
    ]
  },
  "sources_update_date": {
    "_id": null,
    "data": [
      {
        "date": "2014-04-10T00:00:00",
        "db": "ZDI",
        "id": "ZDI-14-077",
        "ident": null
      },
      {
        "date": "2014-04-11T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2014-02243",
        "ident": null
      },
      {
        "date": "2015-07-24T00:00:00",
        "db": "VULHUB",
        "id": "VHN-68256",
        "ident": null
      },
      {
        "date": "2014-04-17T00:40:00",
        "db": "BID",
        "id": "66740",
        "ident": null
      },
      {
        "date": "2014-04-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201404-169",
        "ident": null
      },
      {
        "date": "2014-04-15T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2014-001974",
        "ident": null
      },
      {
        "date": "2025-09-19T19:15:37.537000",
        "db": "NVD",
        "id": "CVE-2014-0763",
        "ident": null
      }
    ]
  },
  "threat_type": {
    "_id": null,
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201404-169"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "_id": null,
    "data": "Advantech WebAccess of  DBVisitor.dll In  SQL Injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2014-001974"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "_id": null,
    "data": "SQL injection",
    "sources": [
      {
        "db": "IVD",
        "id": "0ad07d9e-1edf-11e6-abef-000c29c66e3d"
      },
      {
        "db": "IVD",
        "id": "1654b8d4-2352-11e6-abef-000c29c66e3d"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201404-169"
      }
    ],
    "trust": 1.0
  }
}

CVE-2014-0763 (GCVE-0-2014-0763)

Vulnerability from cvelistv5 – Published: 2014-04-12 01:00 – Updated: 2025-09-19 19:06

Title

Advantech WebAccess SQL Injection

Summary

Severity ?

No CVSS data available.

CWE

CWE-89

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	http://www.securityfocus.com/bid/66740	vdb-entryx_refsource_BID
	http://webaccess.advantech.com/

Impacted products

	Vendor	Product	Version
	Advantech	WebAccess	Affected: 0 , ≤ 7.1 (custom) Unaffected: 7.2

Credits

Andrea Micalizzi, aka rgod, Tom Gallagher, and an independent anonymous researcher working with HP’s Zero Day Initiative (ZDI)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:27:19.483Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"
          },
          {
            "name": "66740",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/66740"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WebAccess",
          "vendor": "Advantech",
          "versions": [
            {
              "lessThanOrEqual": "7.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "7.2"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Andrea Micalizzi, aka rgod, Tom Gallagher, and an independent anonymous researcher working with HP\u2019s Zero Day Initiative (ZDI)"
        }
      ],
      "datePublic": "2014-04-08T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\nAn attacker using SQL injection may use arguments to construct queries \nwithout proper sanitization. The DBVisitor.dll is exposed through SOAP \ninterfaces, and the exposed functions are vulnerable to SOAP injection. \nThis may allow unexpected SQL action and access to records in the table \nof the software database or execution of arbitrary code.\n\n\u003c/p\u003e"
            }
          ],
          "value": "An attacker using SQL injection may use arguments to construct queries \nwithout proper sanitization. The DBVisitor.dll is exposed through SOAP \ninterfaces, and the exposed functions are vulnerable to SOAP injection. \nThis may allow unexpected SQL action and access to records in the table \nof the software database or execution of arbitrary code."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-19T19:06:29.062Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03"
        },
        {
          "name": "66740",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/66740"
        },
        {
          "url": "http://webaccess.advantech.com/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAdvantech has created a new version (Version 7.2) that mitigates each\n of the vulnerabilities described above. Users may download this version\n from the following location at their web site:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://webaccess.advantech.com/downloads.php?item=software\"\u003ehttp://webaccess.advantech.com/downloads.php?item=software\u003c/a\u003e\u003c/p\u003e\u003cp\u003eFor additional information about WebAccess, please visit the following Advantech web site:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://webaccess.advantech.com/\"\u003ehttp://webaccess.advantech.com/\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Advantech has created a new version (Version 7.2) that mitigates each\n of the vulnerabilities described above. Users may download this version\n from the following location at their web site:\u00a0 http://webaccess.advantech.com/downloads.php?item=software \n\nFor additional information about WebAccess, please visit the following Advantech web site:\u00a0 http://webaccess.advantech.com/"
        }
      ],
      "source": {
        "advisory": "ICSA-14-079-03",
        "discovery": "EXTERNAL"
      },
      "title": "Advantech WebAccess SQL Injection",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-0763",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple SQL injection vulnerabilities in DBVisitor.dll in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary SQL commands via SOAP requests to unspecified functions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03",
              "refsource": "MISC",
              "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"
            },
            {
              "name": "66740",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/66740"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-0763",
    "datePublished": "2014-04-12T01:00:00",
    "dateReserved": "2014-01-02T00:00:00",
    "dateUpdated": "2025-09-19T19:06:29.062Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

VAR-201404-0538

CVE-2014-0763 (GCVE-0-2014-0763)

Tags

Sightings

Nomenclature