U.K.-based industrial software manufacturer Aveva and the Cybersecurity and Infrastructure Security Agency have issued security advisories regarding three vulnerabilities impacting Aveva's InTouch Access Anywhere HMI and Plant SCADA Access Anywhere systems, all of which have already been addressed, SecurityWeek reports.
Some of the 1,100 InTouch Access Anywhere Gateway instances connected to the internet have been affected by a high-severity path traversal flaw, tracked as CVE-2022-23854, which could be exploited to facilitate reading of files outside the secure gateway web server, according to Crisec consultant Jens Regel, who discovered the flaw.
"If an attacker gains access to sensitive information, such as configuration files in which access data is stored, for example, this can become a real problem," said Regel, who noted that leveraging the flaw does not require any user interaction.
Meanwhile, both InTouch Access Anywhere and Plant SCADA Access Anywhere products are also being impacted by a critical OpenSSL vulnerability that could enable arbitrary code execution and denial-of-service attacks, as well as a medium-severity flaw involving a vulnerable jQuery version.