CVE-2022-1467

Name of the Vulnerable Software and Affected Versions AVEVA InTouch Access Anywhere (affected versions not specified) Plant SCADA Access Anywhere (affected versions not specified)

Description The issue is related to the disclosure of information in an error data area, which can be exploited by a remote attacker to execute arbitrary OS commands. When the Windows OS language bar functionality is enabled, it can be manipulated to launch an OS command prompt, resulting in a context-escape from the application into the OS. This can occur when the language bar UI is viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications.

Recommendations As a temporary workaround, consider disabling the Windows OS language bar functionality until a patch is available. Restrict access to the OS command prompt to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.