Sign-up

ID

VAR-201405-0282


CVE

CVE-2014-2351


TITLE

CSWorks of LiveData In service SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-002540

DESCRIPTION

SQL injection vulnerability in the LiveData service in CSWorks before 2.5.5233.0 allows remote attackers to execute arbitrary SQL commands via vectors related to pathnames contained in web API requests. Authentication is not required to exploit this vulnerability. The specific flaw exists within the data source templating. CSWorks does not properly sanitize or validate the data used to construct read and write paths which can lead to SQL injection. An attacker may be able to leverage this vulnerability to achieve remote code execution. CSWorks is a software architecture for building WEB-based HMI, SCADA and M2M industrial automation solutions. CSWorks is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, to access or modify data, or to exploit vulnerabilities in the underlying database. CSWorks 2.5.5050.0 and prior are vulnerable

Trust: 3.42

sources: NVD: CVE-2014-2351 // JVNDB: JVNDB-2014-002540 // ZDI: ZDI-14-298 // CNVD: CNVD-2014-03157 // BID: 67427 // IVD: 7d769c41-463f-11e9-a9b8-000c29342cb1 // IVD: f996f9aa-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 7d769c41-463f-11e9-a9b8-000c29342cb1 // IVD: f996f9aa-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-03157

AFFECTED PRODUCTS

vendor:controlsystemworksmodel:csworksscope:eqversion:2.0.4115.0

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:1.4.3900.0

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:1.7.5000.0

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:1.4.3860.0

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:2.0.4115.1

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:1.4.3850.0

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:1.4.4000.0

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:1.4.3880.0

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:1.7.4050.0

Trust: 1.6

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.612.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.801.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:2.5.4770.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:2.5.4770.1

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:2.5.4912.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.4.3820.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.623.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.2.3800.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.601.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.3560.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:2.1.4386.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:2.1.4560.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.1.3600.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:lteversion:2.5.5050.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.2.3730.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.3580.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.4.3830.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.720.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.1.3700.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.901.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.1.3674.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.813.0

Trust: 1.0

vendor:controlsystemworksmodel:csworksscope:eqversion:1.0.3540.0

Trust: 1.0

vendor:csworksmodel:csworksscope:ltversion:2.5.5233.0

Trust: 0.8

vendor:csworksmodel:csworksscope: - version: -

Trust: 0.7

vendor:csworksmodel:csworksscope:eqversion:2.x

Trust: 0.6

vendor:controlsystemworksmodel:csworksscope:eqversion:2.5.5050.0

Trust: 0.6

vendor:csworksmodel: - scope:eqversion:1.0.601.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.612.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.623.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.720.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.801.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.813.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.901.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.3540.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.3560.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.0.3580.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.1.3600.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.1.3674.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.1.3700.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.2.3730.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.2.3800.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.4.3820.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.4.3830.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.4.3850.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.4.3860.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.4.3880.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.4.3900.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.4.4000.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.7.4050.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:1.7.5000.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:2.0.4115.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:2.0.4115.1

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:2.1.4386.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:2.1.4560.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:2.5.4770.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:2.5.4770.1

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:2.5.4912.0

Trust: 0.4

vendor:csworksmodel: - scope:eqversion:*

Trust: 0.4

vendor:csworksmodel:csworksscope:eqversion:2.0.41151

Trust: 0.3

vendor:csworksmodel:csworksscope:eqversion:2.0.41150

Trust: 0.3

sources: IVD: 7d769c41-463f-11e9-a9b8-000c29342cb1 // IVD: f996f9aa-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-14-298 // CNVD: CNVD-2014-03157 // BID: 67427 // JVNDB: JVNDB-2014-002540 // CNNVD: CNNVD-201405-383 // NVD: CVE-2014-2351

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2351
value: HIGH

Trust: 1.0

NVD: CVE-2014-2351
value: HIGH

Trust: 0.8

ZDI: CVE-2014-2351
value: HIGH

Trust: 0.7

CNVD: CNVD-2014-03157
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201405-383
value: HIGH

Trust: 0.6

IVD: 7d769c41-463f-11e9-a9b8-000c29342cb1
value: HIGH

Trust: 0.2

IVD: f996f9aa-2351-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2014-2351
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 2.5

CNVD: CNVD-2014-03157
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d769c41-463f-11e9-a9b8-000c29342cb1
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: f996f9aa-2351-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 7d769c41-463f-11e9-a9b8-000c29342cb1 // IVD: f996f9aa-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-14-298 // CNVD: CNVD-2014-03157 // JVNDB: JVNDB-2014-002540 // CNNVD: CNNVD-201405-383 // NVD: CVE-2014-2351

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2014-002540 // NVD: CVE-2014-2351

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201405-383

TYPE

SQL injection

Trust: 1.0

sources: IVD: 7d769c41-463f-11e9-a9b8-000c29342cb1 // IVD: f996f9aa-2351-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201405-383

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002540

PATCH
title:Important: CSWorks security release 2.5.5233.0url:http://www.controlsystemworks.com/blogengine/post/2014/05/08/Important-CSWorks-security-release-2552330
Trust: 0.8
title:CSWorks has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-14-135-01
Trust: 0.7
title:CSWorks LiveData Service Web API SQL Injection Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/45759
Trust: 0.6
title:CSWorks-2.5.5233.0-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50013
Trust: 0.6
sources:
            
            
            ZDI: ZDI-14-298 // 
            
            
            
            CNVD: CNVD-2014-03157 // 
            
            
            
            JVNDB: JVNDB-2014-002540 // 
            
            
            
            CNNVD: CNNVD-201405-383

EXTERNAL IDS
db:NVDid:CVE-2014-2351
Trust: 4.4
db:ICS CERTid:ICSA-14-135-01
Trust: 2.4
db:BIDid:67427
Trust: 1.9
db:CNVDid:CNVD-2014-03157
Trust: 1.0
db:CNNVDid:CNNVD-201405-383
Trust: 1.0
db:JVNDBid:JVNDB-2014-002540
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-2191
Trust: 0.7
db:ZDIid:ZDI-14-298
Trust: 0.7
db:IVDid:7D769C41-463F-11E9-A9B8-000C29342CB1
Trust: 0.2
db:IVDid:F996F9AA-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: 7d769c41-463f-11e9-a9b8-000c29342cb1 // 
            
            
            
            IVD: f996f9aa-2351-11e6-abef-000c29c66e3d // 
            
            
            
            ZDI: ZDI-14-298 // 
            
            
            
            CNVD: CNVD-2014-03157 // 
            
            
            
            BID: 67427 // 
            
            
            
            JVNDB: JVNDB-2014-002540 // 
            
            
            
            CNNVD: CNNVD-201405-383 // 
            
            
            
            NVD: CVE-2014-2351

REFERENCES
url:http://ics-cert.us-cert.gov/advisories/icsa-14-135-01
Trust: 3.1
url:http://www.controlsystemworks.com/blogengine/post/2014/05/08/important-csworks-security-release-2552330
Trust: 2.2
url:http://www.securityfocus.com/bid/67427
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2351
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2351
Trust: 0.8
url:http://www.controlsystemworks.com/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-14-298 // 
            
            
            
            CNVD: CNVD-2014-03157 // 
            
            
            
            BID: 67427 // 
            
            
            
            JVNDB: JVNDB-2014-002540 // 
            
            
            
            CNNVD: CNNVD-201405-383 // 
            
            
            
            NVD: CVE-2014-2351

CREDITS
John Leitch
Trust: 0.7
sources:
            
            
            ZDI: ZDI-14-298

SOURCES
db:IVDid:7d769c41-463f-11e9-a9b8-000c29342cb1
db:IVDid:f996f9aa-2351-11e6-abef-000c29c66e3d
db:ZDIid:ZDI-14-298
db:CNVDid:CNVD-2014-03157
db:BIDid:67427
db:JVNDBid:JVNDB-2014-002540
db:CNNVDid:CNNVD-201405-383
db:NVDid:CVE-2014-2351

LAST UPDATE DATE
2025-04-13T23:25:24.826000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-14-298date:2014-08-27T00:00:00
db:CNVDid:CNVD-2014-03157date:2014-05-22T00:00:00
db:BIDid:67427date:2014-09-01T00:12:00
db:JVNDBid:JVNDB-2014-002540date:2014-05-21T00:00:00
db:CNNVDid:CNNVD-201405-383date:2014-05-23T00:00:00
db:NVDid:CVE-2014-2351date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:7d769c41-463f-11e9-a9b8-000c29342cb1date:2014-05-22T00:00:00
db:IVDid:f996f9aa-2351-11e6-abef-000c29c66e3ddate:2014-05-22T00:00:00
db:ZDIid:ZDI-14-298date:2014-08-27T00:00:00
db:CNVDid:CNVD-2014-03157date:2014-05-21T00:00:00
db:BIDid:67427date:2014-05-08T00:00:00
db:JVNDBid:JVNDB-2014-002540date:2014-05-21T00:00:00
db:CNNVDid:CNNVD-201405-383date:2014-05-23T00:00:00
db:NVDid:CVE-2014-2351date:2014-05-20T11:13:37.873