MidnightBSD

Advisories for ecava

CVE-2010-4597 HIGH

Stack-based buffer overflow in the save method in the IntegraXor.Project ActiveX control in igcomm.dll in Ecava IntegraXor Human-Machine Interface (HMI) before 3.5.3900.10 allows remote attackers to execute arbitrary code via a long string in the second argument.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2010-4598 MEDIUM

Directory traversal vulnerability in Ecava IntegraXor 3.6.4000.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file_name parameter in an open request.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
ecava integraxor 3.5.3900.5
ecava integraxor *
ecava integraxor 3.5.3900.10
CVE-2010-4599 MEDIUM

Untrusted search path vulnerability in Ecava IntegraXor 3.6.4000.0 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ecava integraxor 3.6.4000.0
CVE-2011-1562 HIGH

Ecava IntegraXor HMI before n 3.60 (Build 4032) allows remote attackers to bypass authentication and execute arbitrary SQL statements via unspecified vectors related to a crafted POST request. NOTE: some sources have reported this issue as SQL injection, but this might not be accurate.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2011-2958 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ecava integraxor 3.60
ecava integraxor 3.5.3900.5
ecava integraxor *
ecava integraxor 3.5.3900.10
ecava integraxor 3.6.4000.0
CVE-2012-0246 HIGH

Directory traversal vulnerability in an unspecified ActiveX control in Ecava IntegraXor before 3.71.4200 allows remote attackers to execute arbitrary code via vectors involving an HTML document on the server.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
ecava integraxor 3.60
ecava integraxor 3.5.3900.5
ecava integraxor *
ecava integraxor 3.5.3900.10
ecava integraxor 3.6.4000.0
CVE-2014-0752 HIGH

The SCADA server in Ecava IntegraXor before 4.1.4369 allows remote attackers to read arbitrary project backup files via a crafted URL.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-529,CWE-264,

Products Affected

Vendor Product Version
ecava integraxor 3.5.3900.5
ecava integraxor 3.71
ecava integraxor 3.71.4200
ecava integraxor *
ecava integraxor 3.5.3900.10
ecava integraxor 3.72
ecava integraxor 4.00
ecava integraxor 4.1
ecava integraxor 3.60.4061
ecava integraxor 3.6.4000.0
CVE-2014-0753 HIGH

Stack-based buffer overflow in the SCADA server in Ecava IntegraXor before 4.1.4390 allows remote attackers to cause a denial of service (system crash) by triggering access to DLL code located in the IntegraXor directory.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-119,

Products Affected

Vendor Product Version
ecava integraxor 3.5.3900.5
ecava integraxor *
ecava integraxor 4.00
ecava integraxor 4.1.4369
ecava integraxor 3.6.4000.0
ecava integraxor 4.1.4360
ecava integraxor 3.71
ecava integraxor 3.71.4200
ecava integraxor 3.5.3900.10
ecava integraxor 3.72
ecava integraxor 4.1
ecava integraxor 3.60.4061
CVE-2014-0786 HIGH

Ecava IntegraXor before 4.1.4393 allows remote attackers to read cleartext credentials for administrative accounts via SELECT statements that leverage the guest role.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-200,CWE-310,

Products Affected

Vendor Product Version
ecava integraxor 4.1.4360
ecava integraxor *
ecava integraxor 4.1.4380
ecava integraxor 4.1
ecava integraxor 4.1.4369
ecava integraxor 4.1.4340
CVE-2014-2375 HIGH

Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-73,CWE-264,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2014-2376 HIGH

SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2014-2377 MEDIUM

Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-526,CWE-200,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2015-0990 MEDIUM

Untrusted search path vulnerability in Ecava IntegraXor SCADA Server before 4.2.4488 allows local users to gain privileges via a renamed DLL in the default install directory.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-2299 HIGH

SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-2300 MEDIUM

Ecava IntegraXor before 5.0 build 4522 allows remote attackers to bypass authentication and access unspecified web pages via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-2301 MEDIUM

SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-2302 MEDIUM

Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive information by reading detailed error messages.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-2303 MEDIUM

CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-2304 MEDIUM

Ecava IntegraXor before 5.0 build 4522 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-2305 MEDIUM

Cross-site scripting (XSS) vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-2306 HIGH

The HMI web server in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive cleartext information by sniffing the network.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-310,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2016-8341 HIGH

An issue was discovered in Ecava IntegraXor Version 5.0.413.0. The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection. If the queries are not sanitized, the host's database could be subject to read, write, and delete commands.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
ecava integraxor 5.0.413.0
CVE-2017-16733 MEDIUM

A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 and prior. The SQL Injection vulnerability has been identified, which an attacker can leverage to disclose sensitive information from the database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2017-16735 MEDIUM

A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 and prior. The SQL Injection vulnerability has been identified, which generates an error in the database log.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
ecava integraxor *
CVE-2017-6050 HIGH

A SQL Injection issue was discovered in Ecava IntegraXor Versions 5.2.1231.0 and prior. The application fails to properly validate user input, which may allow for an unauthenticated attacker to remotely execute arbitrary code in the form of SQL queries.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,CWE-89,

Products Affected

Vendor Product Version
ecava integraxor *