CVE-2014-0772

Опубликовано: 12 апр. 2014

Источник: nvd

CVSS2: 5

EPSS Низкий

Описание

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named OpenUrlToBufferTimeout. This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows file:// URLs that access the local disk.

The method can be used to open a URL (including file URLs) and read the URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:advantech:advantech_webaccess:*:*:*:*:*:*:*:*

Версия до 7.1 (включая)

cpe:2.3:a:advantech:advantech_webaccess:5.0:*:*:*:*:*:*:*

cpe:2.3:a:advantech:advantech_webaccess:6.0:*:*:*:*:*:*:*

cpe:2.3:a:advantech:advantech_webaccess:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 57%

0.0035

Низкий

5 Medium

CVSS2

5 Medium

CVSS2

Дефекты

CWE-538

CWE-200

Связанные уязвимости

GHSA-wf7g-3pcc-4w4x

github

больше 3 лет назад

The OpenUrlToBufferTimeout method in the BWOCXRUN.BwocxrunCtrl.1 ActiveX control in bwocxrun.ocx in Advantech WebAccess before 7.2 allows remote attackers to read arbitrary files via a file: URL.

EPSS

Процентиль: 57%

0.0035

Низкий

5 Medium

CVSS2

5 Medium

CVSS2

Дефекты

CWE-538

CWE-200