Schneider Electric Wonderware Information Server CVE-2014-5399 SQL Injection Vulnerability

Bugtraq ID:	69416
Class:	Input Validation Error
CVE:	CVE-2014-5399
Remote:	Yes
Local:	No
Published:	Aug 26 2014 12:00AM
Updated:	Mar 19 2015 09:15AM
Credit:	Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team
Vulnerable:	Invensys Wonderware Information Server 4.5 Portal Invensys Wonderware Information Server 4.0 SP1
Not Vulnerable:

Schneider Electric Wonderware Information Server CVE-2014-5399 SQL Injection Vulnerability

Schneider Electric Wonderware Information Server is prone to an unspecified SQL-injection vulnerability.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

The following versions are vulnerable:

Wonderware Information Server 4.0 SP1
Wonderware Information Server 4.5 Portal
Wonderware Information Server 5.0 Portal
Wonderware Information Server 5.5 Portal

Schneider Electric Wonderware Information Server CVE-2014-5399 SQL Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Schneider Electric Wonderware Information Server CVE-2014-5399 SQL Injection Vulnerability

References:

• Invensys Wonderware Information Server HomePage (Invensys )
  
• (ICSA-14-238-02) Schneider Electric Wonderware Vulnerabilities (US-CERT)