Advantech WebAccess/SCADA Cross-Site Scripting Vulnerability in User Project Creation Component

A cross-site scripting (XSS) vulnerability has been identified in Advantech WebAccess/SCADA versions 8.0 prior to 2015.08.16. The issue resides in the Admin Dashboard's 'Create New Project User' component, where the 'decryption' field fails to properly sanitize user input before it is displayed. This flaw allows remote attackers to execute JavaScript in the context of an authenticated user.

Impact

Exploitation of this vulnerability enables the execution of JavaScript in the browser of a user viewing the affected page. This could lead to session hijacking, unauthorized actions on behalf of the user, or the disclosure of sensitive information, depending on the user's privileges and session settings.

Reproduction

To reproduce this vulnerability, log into an authorized instance of Advantech WebAccess/SCADA 8.0-2015.08.16. Once logged in, navigate to the Admin Dashboard and select 'Create New Project User'. In the 'decryption' field, enter a payload that exploits the XSS vulnerability, such as a script tag or an SVG image with an onload event. After saving or previewing the record, the payload will execute if the field is vulnerable.

Remediation

Advantech users are advised to upgrade to a fixed release if available. Additionally, untrusted data should be encoded before rendering in HTML, JavaScript, or URL contexts. Input in the 'decryption' field should be validated to reject markup or script. Implementing a strict Content Security Policy and marking session cookies as 'HttpOnly', 'Secure', and 'SameSite' can also help mitigate the risk.