CVE-2018-6911

Name of the Vulnerable Software and Affected Versions Advantech WebAccess version 8.3.0

Description The issue is related to the VBWinExec function in NodeAspVBObj.dll, which allows remote attackers to execute arbitrary OS commands via a single argument, specifically the command parameter. This is due to the lack of measures to neutralize special elements used in OS commands. Exploitation of this issue can allow a remote attacker to execute arbitrary OS commands using a specially crafted parameter.

Recommendations For Advantech WebAccess version 8.3.0, consider disabling the VBWinExec function as a temporary workaround until a patch is available. Restrict access to the NodeAspVBObj.dll module to minimize the risk of exploitation. Avoid using the command parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.