Advantech/BroadWin WebAccess is a web-based application for human-machine interfaces (HMI), and supervisory control and data acquisition (SCADA).
Advantech/BroadWin WebAccess is exposed to multiple vulnerabilities that can cause Cross-site scripting (XSS), SQL injection, Cross-site report forgery (CSRF) and Authentication issues.
Advantech/BroadWin WebAccess 7.0 and earlier
QID Detection Logic (unauthenticated):
The QID sends a GET /broadWeb/bwRoot.asp request to retrieve the version of Advantech/BroadWin WebAccess running on the remote target.
Successful exploitation of the vulnerabilities will lead to:
1) Cross-site scripting (XSS)
2) SQL injection
3) Cross-site report forgery (CSRF)
4) Authentication issues