{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"WebAccess","vendor":"Advantech","versions":[{"lessThanOrEqual":"7.1","status":"affected","version":"0","versionType":"custom"},{"status":"unaffected","version":"7.2"}]}],"credits":[{"lang":"en","type":"finder","value":"Andrea Micalizzi, aka rgod, Tom Gallagher, and an independent anonymous researcher working with HP’s Zero Day Initiative (ZDI)"}],"datePublic":"2014-04-08T06:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>\n\n\n\n\n\n\n\n\n</p><p></p>\n<p>The BWOCXRUN.BwocxrunCtrl.1 control contains a method named \nOpenUrlToBufferTimeout. This method takes a URL as a parameter and \nreturns its contents to the caller in JavaScript. The URLs are accessed \nin the security context of the current browser session. The control does\n not perform any URL validation and allows file:// URLs that access the \nlocal disk.</p>\n<p>The method can be used to open a URL (including file URLs) and read \nthe URLs through JavaScript. This method could also be used to reach any\n arbitrary URL to which the browser has access.</p>\n\n<p></p>\n\n<p></p>"}],"value":"The BWOCXRUN.BwocxrunCtrl.1 control contains a method named \nOpenUrlToBufferTimeout. This method takes a URL as a parameter and \nreturns its contents to the caller in JavaScript. The URLs are accessed \nin the security context of the current browser session. The control does\n not perform any URL validation and allows file:// URLs that access the \nlocal disk.\n\n\nThe method can be used to open a URL (including file URLs) and read \nthe URLs through JavaScript. This method could also be used to reach any\n arbitrary URL to which the browser has access."}],"metrics":[{"cvssV2_0":{"accessComplexity":"LOW","accessVector":"NETWORK","authentication":"NONE","availabilityImpact":"NONE","baseScore":5,"confidentialityImpact":"PARTIAL","integrityImpact":"NONE","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","version":"2.0"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-538","description":"CWE-538","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2025-09-19T19:19:40.873Z"},"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03"},{"name":"66740","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/66740"},{"url":"http://webaccess.advantech.com/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Advantech has created a new version (Version 7.2) that mitigates each\n of the vulnerabilities described above. Users may download this version\n from the following location at their web site:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"http://webaccess.advantech.com/downloads.php?item=software\">http://webaccess.advantech.com/downloads.php?item=software</a></p><p>For additional information about WebAccess, please visit the following Advantech web site:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"http://webaccess.advantech.com/\">http://webaccess.advantech.com/</a></p>\n\n<br>"}],"value":"Advantech has created a new version (Version 7.2) that mitigates each\n of the vulnerabilities described above. Users may download this version\n from the following location at their web site:  http://webaccess.advantech.com/downloads.php?item=software \n\nFor additional information about WebAccess, please visit the following Advantech web site:  http://webaccess.advantech.com/"}],"source":{"advisory":"ICSA-14-079-03","discovery":"EXTERNAL"},"title":"Advantech WebAccess File and Directory Information Exposure","x_generator":{"engine":"Vulnogram 0.2.0"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","ID":"CVE-2014-0763","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple SQL injection vulnerabilities in DBVisitor.dll in Advantech WebAccess before 7.2 allow remote attackers to execute arbitrary SQL commands via SOAP requests to unspecified functions."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03","refsource":"MISC","url":"http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"},{"name":"66740","refsource":"BID","url":"http://www.securityfocus.com/bid/66740"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-06T09:27:19.509Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"}]}]},"cveMetadata":{"assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","assignerShortName":"icscert","cveId":"CVE-2014-0772","datePublished":"2014-04-12T01:00:00.000Z","dateReserved":"2014-01-02T00:00:00.000Z","dateUpdated":"2025-09-19T19:19:40.873Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}