Sign-up

ID

VAR-201305-0091


CVE

CVE-2013-0688


TITLE

Invensys Wonderware Information Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2013-002606

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Invensys Wonderware Information Server can centrally reflect web management solutions for production management. There are security vulnerabilities in the implementation of Wonderware Information Server 4.0 SP1, Wonderware Information Server 4.5 Portal, and Wonderware Information Server 5.0 Portal. An attacker could exploit this vulnerability to execute arbitrary script code in the user's browser of the affected site context. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Through the network solution, this product can conveniently display the factory performance indicators and production data to the operation, operation and maintenance and engineering personnel, and is widely used in petroleum, natural gas, chemical and other industries

Trust: 2.7

sources: NVD: CVE-2013-0688 // JVNDB: JVNDB-2013-002606 // CNVD: CNVD-2013-05027 // BID: 59703 // IVD: f46b7928-2352-11e6-abef-000c29c66e3d // VULHUB: VHN-60690

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: f46b7928-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05027

AFFECTED PRODUCTS

vendor:invensysmodel:wonderware information serverscope:eqversion:4.5

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:4.0

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:5.0

Trust: 1.6

vendor:invensysmodel:wonderware information server sp1scope:eqversion:4.0

Trust: 0.9

vendor:invensysmodel:wonderware information server portalscope:eqversion:4.5

Trust: 0.9

vendor:invensysmodel:wonderware information serverscope:eqversion:4.0 sp1sp1

Trust: 0.8

vendor:invensysmodel:wonderware information serverscope:eqversion:4.5- portal

Trust: 0.8

vendor:invensysmodel:wonderware information serverscope:eqversion:5.0- portal

Trust: 0.8

vendor:wonderware information servermodel: - scope:eqversion:4.0

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:4.5

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:5.0

Trust: 0.2

sources: IVD: f46b7928-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05027 // BID: 59703 // JVNDB: JVNDB-2013-002606 // CNNVD: CNNVD-201305-142 // NVD: CVE-2013-0688

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-0688
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-0688
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2013-05027
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201305-142
value: MEDIUM

Trust: 0.6

IVD: f46b7928-2352-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-60690
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-0688
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-05027
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: f46b7928-2352-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-60690
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: f46b7928-2352-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-05027 // VULHUB: VHN-60690 // JVNDB: JVNDB-2013-002606 // CNNVD: CNNVD-201305-142 // NVD: CVE-2013-0688

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-60690 // JVNDB: JVNDB-2013-002606 // NVD: CVE-2013-0688

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201305-142

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201305-142

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-002606

PATCH
title:Top Pageurl:http://global.wonderware.com/EN/Pages/default.aspx
Trust: 0.8
title:Wonderware 日本のパートナーurl:http://global.wonderware.com/JP/Pages/JpPartnersSI.aspx
Trust: 0.8
title:ハードウェア・パートナーurl:http://iom.invensys.com/JP/Pages/IOM_HardwarePartners.aspx
Trust: 0.8
title:ソフトウェア・パートナーurl:http://iom.invensys.com/JP/Pages/IOM_SoftwarePartners.aspx
Trust: 0.8
title:Wonderware Top Pageurl:http://iom.invensys.com/JP/Pages/home.aspx
Trust: 0.8
title:Patch for Invensys Wonderware Information Server Cross-Site Scripting Vulnerability (CNVD-2013-05027)url:https://www.cnvd.org.cn/patchInfo/show/33855
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-05027 // 
            
            
            
            JVNDB: JVNDB-2013-002606

EXTERNAL IDS
db:NVDid:CVE-2013-0688
Trust: 3.6
db:ICS CERTid:ICSA-13-113-01
Trust: 3.4
db:BIDid:59703
Trust: 1.6
db:CNNVDid:CNNVD-201305-142
Trust: 0.9
db:CNVDid:CNVD-2013-05027
Trust: 0.8
db:JVNDBid:JVNDB-2013-002606
Trust: 0.8
db:SECUNIAid:53308
Trust: 0.6
db:IVDid:F46B7928-2352-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-60690
Trust: 0.1
sources:
            
            
            IVD: f46b7928-2352-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2013-05027 // 
            
            
            
            VULHUB: VHN-60690 // 
            
            
            
            BID: 59703 // 
            
            
            
            JVNDB: JVNDB-2013-002606 // 
            
            
            
            CNNVD: CNNVD-201305-142 // 
            
            
            
            NVD: CVE-2013-0688

REFERENCES
url:http://ics-cert.us-cert.gov/advisories/icsa-13-113-01
Trust: 3.4
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-0688
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0688
Trust: 0.8
url:http://www.linuxidc.com/linux/2013-05/84034.htm
Trust: 0.6
url:http://secunia.com/advisories/53308
Trust: 0.6
url:http://www.securityfocus.com/bid/59703
Trust: 0.6
url:http://global.wonderware.com/en/pages/wonderwareinformationserver.aspx
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-05027 // 
            
            
            
            VULHUB: VHN-60690 // 
            
            
            
            BID: 59703 // 
            
            
            
            JVNDB: JVNDB-2013-002606 // 
            
            
            
            CNNVD: CNNVD-201305-142 // 
            
            
            
            NVD: CVE-2013-0688

CREDITS
Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team
Trust: 0.9
sources:
            
            
            BID: 59703 // 
            
            
            
            CNNVD: CNNVD-201305-142

SOURCES
db:IVDid:f46b7928-2352-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-05027
db:VULHUBid:VHN-60690
db:BIDid:59703
db:JVNDBid:JVNDB-2013-002606
db:CNNVDid:CNNVD-201305-142
db:NVDid:CVE-2013-0688

LAST UPDATE DATE
2025-04-11T22:53:19.626000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-05027date:2013-05-27T00:00:00
db:VULHUBid:VHN-60690date:2013-05-09T00:00:00
db:BIDid:59703date:2013-05-07T00:00:00
db:JVNDBid:JVNDB-2013-002606date:2013-05-10T00:00:00
db:CNNVDid:CNNVD-201305-142date:2013-05-17T00:00:00
db:NVDid:CVE-2013-0688date:2025-04-11T00:51:21.963

SOURCES RELEASE DATE
db:IVDid:f46b7928-2352-11e6-abef-000c29c66e3ddate:2013-05-09T00:00:00
db:CNVDid:CNVD-2013-05027date:2013-05-10T00:00:00
db:VULHUBid:VHN-60690date:2013-05-09T00:00:00
db:BIDid:59703date:2013-05-07T00:00:00
db:JVNDBid:JVNDB-2013-002606date:2013-05-10T00:00:00
db:CNNVDid:CNNVD-201305-142date:2013-05-17T00:00:00
db:NVDid:CVE-2013-0688date:2013-05-09T12:31:19.010