xArrow SCADA versions 7.2 and prior permits unvalidated registry keys to be run with application-level privileges.

xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘edate’ of the resource xhisalarm.htm, which may allow an unauthorized attacker to execute arbitrary code.

xArrow SCADA versions 7.2 and prior is vulnerable to cross-site scripting due to parameter ‘bdate’ of the resource xhisvalue.htm, which may allow an unauthorized attacker to execute arbitrary code.

Heap-based buffer overflow in the server in xArrow before 3.4.1 allows remote attackers to execute arbitrary code via packets that trigger an invalid free operation.

Integer overflow in the server in xArrow before 3.4.1 allows remote attackers to execute arbitrary code via a crafted packet that triggers an out-of-bounds read operation.

The server in xArrow before 3.4.1 does not properly allocate memory, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via unspecified vectors.

The server in xArrow before 3.4.1 performs an invalid read operation, which allows remote attackers to execute arbitrary code via unspecified vectors.