CVE-2020-16207: Advantech WebAccess/HMI Designer PM3 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
First published: Thu Aug 06 2020(Updated: )
Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Multiple heap-based buffer overflow vulnerabilities may be exploited by opening specially crafted project files that may overflow the heap, which may allow remote code execution, disclosure/modification of information, or cause the application to crash.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Advantech Webaccess\/hmi Designer | <=2.1.9.31 | |
| Advantech WebAccess/HMI Designer | ||
| Advantech WebAccess HMI Designer Versions 2.1.9.31 and prior |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://us-cert.cisa.gov/ics/advisories/icsa-20-219-02
- https://www.zerodayinitiative.com/advisories/ZDI-20-950/
- https://www.zerodayinitiative.com/advisories/ZDI-20-951/
- https://www.zerodayinitiative.com/advisories/ZDI-20-955/
- https://www.zerodayinitiative.com/advisories/ZDI-20-958/
- https://www.zerodayinitiative.com/advisories/ZDI-20-959/
- https://www.cisa.gov/news-events/ics-advisories/icsa-20-219-02 (Advisory)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-16207.
What is the severity of CVE-2020-16207?
The severity of CVE-2020-16207 is high with a severity value of 7.8.
Which software is affected by CVE-2020-16207?
Advantech WebAccess/HMI Designer versions up to 2.1.9.31 are affected by CVE-2020-16207.
How does the vulnerability CVE-2020-16207 allow remote code execution?
CVE-2020-16207 allows remote attackers to execute arbitrary code by exploiting a heap-based buffer overflow through user interaction, such as visiting a malicious page or opening a malicious file.
Where can I find more information about CVE-2020-16207?
You can find more information about CVE-2020-16207 at the following references: [Reference 1](https://us-cert.cisa.gov/ics/advisories/icsa-20-219-02), [Reference 2](https://www.zerodayinitiative.com/advisories/ZDI-20-955/), [Reference 3](https://www.zerodayinitiative.com/advisories/ZDI-20-951/).
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- agent/author
- agent/severity
- agent/title
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-20-951
- alias/ZDI-CAN-10188
- alias/CVE-2020-16207
- agent/software-canonical-lookup
- agent/first-publish-date
- alias/ZDI-20-958
- alias/ZDI-CAN-10133
- alias/ZDI-20-959
- alias/ZDI-CAN-10122
- alias/ZDI-20-950
- alias/ZDI-CAN-10121
- alias/ZDI-20-955
- alias/ZDI-CAN-10136
- agent/references
- agent/softwarecombine
- agent/tags
- agent/event
- collector/ics-cert-advisory
- source/ICS
- vendor/advantech
- canonical/advantech webaccess\/hmi designer
- version/advantech webaccess\/hmi designer/2.1.9.31
- canonical/advantech webaccess/hmi designer
- canonical/advantech webaccess hmi designer versions 2.1.9.31 and prior