ID
VAR-E-201204-0164
CVE
| cve_id: | CVE-2012-0226 | Trust: 0.3 |
| cve_id: | CVE-2012-0228 | Trust: 0.3 |
| cve_id: | CVE-2012-0225 | Trust: 0.3 |
TITLE
Invensys Wonderware Information Server Multiple Security Vulnerabilities
Trust: 0.3
DESCRIPTION
Invensys Wonderware Information Server is prone to multiple security vulnerabilities, including:
1. A cross-site scripting vulnerability
2. A SQL-injection vulnerability
3. A security-bypass vulnerability
Attackers can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of an affected site, steal cookie-based authentication credentials, perform unauthorized actions, obtain sensitive information, redirect a user to a potentially malicious site, cause a denial-of-service condition and compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks are also possible.
Trust: 0.3
AFFECTED PRODUCTS
| vendor: | invensys | model: | wonderware information server portal | scope: | eq | version: | 4.5 | Trust: 0.3 |
| vendor: | invensys | model: | wonderware information server client | scope: | eq | version: | 4.5 | Trust: 0.3 |
| vendor: | invensys | model: | wonderware information server sp1 | scope: | eq | version: | 4.0 | Trust: 0.3 |
EXPLOIT
Attackers can exploit these issues using a browser. To exploit a cross-site scripting vulnerability, an attacker must entice an unsuspecting victim into following a URI.
Trust: 0.3
PRICE
Free
Trust: 0.3
TYPE
Unknown
Trust: 0.3
CREDITS
Terry McCorkle and Billy Rios
Trust: 0.3
EXTERNAL IDS
| db: | ICS CERT | id: | ICSA-12-062-01 | Trust: 0.3 |
| db: | NVD | id: | CVE-2012-0226 | Trust: 0.3 |
| db: | NVD | id: | CVE-2012-0228 | Trust: 0.3 |
| db: | NVD | id: | CVE-2012-0225 | Trust: 0.3 |
| db: | BID | id: | 52851 | Trust: 0.3 |
REFERENCES
| url: | http://www.us-cert.gov/control_systems/pdf/icsa-12-062-01.pdf | Trust: 0.3 |
SOURCES
| db: | BID | id: | 52851 |
LAST UPDATE DATE
2022-07-27T09:19:07.628000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 52851 | date: | 2012-04-02T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 52851 | date: | 2012-04-02T00:00:00 |