Schneider Electric Wonderware Information Server CVE-2014-5397 Cross Site Scripting Vulnerability
BID:69418
CVE-2014-5397 |Info
Schneider Electric Wonderware Information Server CVE-2014-5397 Cross Site Scripting Vulnerability
| Bugtraq ID: | 69418 |
| Class: | Input Validation Error |
| CVE: |
CVE-2014-5397 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 26 2014 12:00AM |
| Updated: | Mar 19 2015 09:39AM |
| Credit: | Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team |
| Vulnerable: |
Invensys Wonderware Information Server 4.5 Portal Invensys Wonderware Information Server 4.0 SP1 |
| Not Vulnerable: | |
Discussion
Schneider Electric Wonderware Information Server CVE-2014-5397 Cross Site Scripting Vulnerability
Schneider Electric Wonderware Information Server is prone to an unspecified cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following versions are vulnerable:
Wonderware Information Server 4.0 SP1
Wonderware Information Server 4.5 Portal
Wonderware Information Server 5.0 Portal
Wonderware Information Server 5.5 Portal
Schneider Electric Wonderware Information Server is prone to an unspecified cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following versions are vulnerable:
Wonderware Information Server 4.0 SP1
Wonderware Information Server 4.5 Portal
Wonderware Information Server 5.0 Portal
Wonderware Information Server 5.5 Portal
Exploit / POC
Schneider Electric Wonderware Information Server CVE-2014-5397 Cross Site Scripting Vulnerability
Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.
Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.
Solution / Fix
Schneider Electric Wonderware Information Server CVE-2014-5397 Cross Site Scripting Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
Schneider Electric Wonderware Information Server CVE-2014-5397 Cross Site Scripting Vulnerability
References:
References: