{"api_version":"1","generated_at":"2026-06-29T19:04:38+00:00","cve":"CVE-2019-10961","urls":{"html":"https://cve.report/CVE-2019-10961","api":"https://cve.report/api/cve/CVE-2019-10961.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-10961","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-10961"},"summary":{"title":"CVE-2019-10961","description":"In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, processing specially crafted MCR files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, allowing remote code execution.","state":"PUBLIC","assigner":"ics-cert@hq.dhs.gov","published_at":"2019-08-02 17:15:00","updated_at":"2023-03-03 15:51:00"},"problem_types":["CWE-787"],"metrics":[],"references":[{"url":"https://www.zerodayinitiative.com/advisories/ZDI-19-691/","name":"https://www.zerodayinitiative.com/advisories/ZDI-19-691/","refsource":"MISC","tags":["Third Party Advisory","VDB Entry"],"title":"ZDI-19-691 | Zero Day Initiative","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.us-cert.gov/ics/advisories/icsa-19-213-01","name":"https://www.us-cert.gov/ics/advisories/icsa-19-213-01","refsource":"MISC","tags":["Patch","Third Party Advisory","US Government Resource"],"title":"Advantech WebAccess HMI Designer | CISA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-10961","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10961","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"10961","vulnerable":"1","versionEndIncluding":"2.1.7.32","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"advantech","cpe5":"webaccess_hmi_designer","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-10961","ASSIGNER":"ics-cert@hq.dhs.gov","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"Advantech WebAccess HMI Designer","version":{"version_data":[{"version_value":"Version 2.1.9.23 and prior"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"OUT-OF-BOUNDS WRITE CWE-787"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://www.us-cert.gov/ics/advisories/icsa-19-213-01","url":"https://www.us-cert.gov/ics/advisories/icsa-19-213-01"},{"refsource":"MISC","name":"https://www.zerodayinitiative.com/advisories/ZDI-19-691/","url":"https://www.zerodayinitiative.com/advisories/ZDI-19-691/"}]},"description":{"description_data":[{"lang":"eng","value":"In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, processing specially crafted MCR files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, allowing remote code execution."}]}},"nvd":{"publishedDate":"2019-08-02 17:15:00","lastModifiedDate":"2023-03-03 15:51:00","problem_types":["CWE-787"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:advantech:webaccess_hmi_designer:*:*:*:*:*:*:*:*","versionEndIncluding":"2.1.7.32","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"10961","Ordinal":"149242","Title":"CVE-2019-10961","CVE":"CVE-2019-10961","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"10961","Ordinal":"1","NoteData":"In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, processing specially crafted MCR files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, allowing remote code execution.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"10961","Ordinal":"2","NoteData":"2019-08-02","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"10961","Ordinal":"3","NoteData":"2019-08-05","Type":"Other","Title":"Modified"}]}}}