Omron NS Series HMI Improper Neutralization of Input During Web Page Generation
Summary
| CVE | CVE-2014-2370 |
|---|---|
| State | PUBLISHED |
| Assigner | icscert |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-07-24 14:55:07 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | Cross-site scripting (XSS) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to inject arbitrary web script or HTML via crafted data. |
Risk And Classification
Primary CVSS: v2.0 3.5 from [email protected]
AV:N/AC:M/Au:S/C:N/I:P/A:N
Problem Types: CWE-79 | CWE-79 CWE-79
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 2.0 | [email protected] | Primary | 3.5 | AV:N/AC:M/Au:S/C:N/I:P/A:N | |
| 2.0 | [email protected] | Secondary | 4 | AV:N/AC:L/Au:S/C:N/I:P/A:N | |
| 2.0 | CNA | CVSS | 4 | AV:N/AC:L/Au:S/C:N/I:P/A:N |
CVSS v2.0 Breakdown
AV:N/AC:M/Au:S/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Omron | Ns10 Hmi Terminal | - | All | All | All |
| Hardware | Omron | Ns12 Hmi Terminal | - | All | All | All |
| Hardware | Omron | Ns15 Hmi Terminal | - | All | All | All |
| Hardware | Omron | Ns5 Hmi Terminal | - | All | All | All |
| Hardware | Omron | Ns8 Hmi Terminal | - | All | All | All |
| Operating System | Omron | Ns Series System Program Firmware | 8.1 | All | All | All |
| Operating System | Omron | Ns Series System Program Firmware | 8.68 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Omron | NS15 | affected 8.1xx 8.68x custom | Not specified |
| CNA | Omron | NS12 | affected 8.1xx 8.68x custom | Not specified |
| CNA | Omron | NS10 | affected 8.1xx 8.68x custom | Not specified |
| CNA | Omron | NS8 | affected 8.1xx 8.68x custom | Not specified |
| CNA | Omron | NS5 | affected 8.1xx 8.68x custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.cisa.gov/news-events/ics-advisories/icsa-14-203-01 | [email protected] | www.cisa.gov | |
| automation.omron.com/en/us/products | [email protected] | automation.omron.com | |
| Omron NS Series HMI Vulnerabilities | ICS-CERT | af854a3a-2127-422b-91ae-364da2661108 | ics-cert.us-cert.gov | Third Party Advisory, US Government Resource |
| Malformed Request | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Joel Sevilleja Febrer of S2 Grupo (en)
Additional Advisory Data
Solutions
CNA: Omron Corporation has produced update, Version 8.69x for Japan and Version 8.7x for other countries, that mitigates the identified vulnerabilities. The updates for the NS series of HMI terminals can be downloaded at the following locations: NS15 Software Update Version 8.7: http://industrial.omron.us/en/products/catalogue/automation_systems/hmi/scalable_hmi/ns15/default.html NS12 Software Update Version 8.7: http://industrial.omron.us/en/products/catalogue/automation_systems/hmi/scalable_hmi/ns12/default.html NS10 Software Update Version 8.7: http://industrial.omron.us/en/products/catalogue/automation_systems/hmi/scalable_hmi/ns10/default.html NS8 Software Update Version 8.7: http://industrial.omron.us/en/products/catalogue/automation_systems/hmi/scalable_hmi/ns8/default.html NS5 Software Update Version 8.7: http://industrial.omron.us/en/products/catalogue/automation_systems/hmi/scalable_hmi/ns5/default.html
Legacy QID Mappings
- 590466 Omron NS Series HMI Multiple Vulnerabilities (ICSA-14-203-01)