Sign-up

ID

VAR-201407-0239


CVE

CVE-2014-2370


TITLE

Omron NS Series HMI Terminal Web Application cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-003554

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the web application on Omron NS5, NS8, NS10, NS12, and NS15 HMI terminals 8.1xx through 8.68x allows remote authenticated users to inject arbitrary web script or HTML via crafted data. Omron NS5, NS8, NS10, NS12 and NS15 HMI Terminals are Omron's touch screen HMI programming software. There is an HTML injection vulnerability in Omron NS series HMI Terminals. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. The following products and versions are affected: Omron NS5, NS8, NS10, NS12, NS15 HMI Terminals 8.1xx to 8.68x versions

Trust: 2.88

sources: NVD: CVE-2014-2370 // JVNDB: JVNDB-2014-003554 // CNVD: CNVD-2014-04730 // BID: 68836 // IVD: 7d7def40-463f-11e9-b4a6-000c29342cb1 // IVD: e2e3071c-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-70309

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 7d7def40-463f-11e9-b4a6-000c29342cb1 // IVD: e2e3071c-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-04730

AFFECTED PRODUCTS

vendor:omronmodel:ns series system programscope:eqversion:8.1

Trust: 2.2

vendor:omronmodel:ns series system programscope:eqversion:8.68

Trust: 2.2

vendor:omronmodel:ns8 hmi terminalscope:eqversion: -

Trust: 1.0

vendor:omronmodel:ns12 hmi terminalscope:eqversion: -

Trust: 1.0

vendor:omronmodel:ns10 hmi terminalscope:eqversion: -

Trust: 1.0

vendor:omronmodel:ns5 hmi terminalscope:eqversion: -

Trust: 1.0

vendor:omronmodel:ns15 hmi terminalscope:eqversion: -

Trust: 1.0

vendor:omronmodel:ns10scope: - version: -

Trust: 0.8

vendor:omronmodel:ns12scope: - version: -

Trust: 0.8

vendor:omronmodel:ns15scope: - version: -

Trust: 0.8

vendor:omronmodel:ns5scope: - version: -

Trust: 0.8

vendor:omronmodel:ns8scope: - version: -

Trust: 0.8

vendor:omronmodel:ns series softwarescope:eqversion:8.1xx to 8.68x

Trust: 0.8

vendor:omronmodel:ns15 hmi terminalscope: - version: -

Trust: 0.6

vendor:omronmodel:ns12 hmi terminalscope: - version: -

Trust: 0.6

vendor:omronmodel:ns10 hmi terminalscope: - version: -

Trust: 0.6

vendor:omronmodel:ns8 hmi terminalscope: - version: -

Trust: 0.6

vendor:omronmodel:ns5 hmi terminalscope: - version: -

Trust: 0.6

vendor:ns series system programmodel: - scope:eqversion:8.1

Trust: 0.4

vendor:ns series system programmodel: - scope:eqversion:8.68

Trust: 0.4

vendor:ns10 hmi terminalmodel: - scope:eqversion: -

Trust: 0.4

vendor:ns12 hmi terminalmodel: - scope:eqversion: -

Trust: 0.4

vendor:ns15 hmi terminalmodel: - scope:eqversion: -

Trust: 0.4

vendor:ns5 hmi terminalmodel: - scope:eqversion: -

Trust: 0.4

vendor:ns8 hmi terminalmodel: - scope:eqversion: -

Trust: 0.4

vendor:omronmodel:ns8scope:eqversion:8.68

Trust: 0.3

vendor:omronmodel:ns8scope:eqversion:8.1

Trust: 0.3

vendor:omronmodel:ns5scope:eqversion:8.68

Trust: 0.3

vendor:omronmodel:ns5scope:eqversion:8.1

Trust: 0.3

vendor:omronmodel:ns15scope:eqversion:8.68

Trust: 0.3

vendor:omronmodel:ns15scope:eqversion:8.1

Trust: 0.3

vendor:omronmodel:ns12scope:eqversion:8.68

Trust: 0.3

vendor:omronmodel:ns12scope:eqversion:8.1

Trust: 0.3

vendor:omronmodel:ns10scope:eqversion:8.68

Trust: 0.3

vendor:omronmodel:ns10scope:eqversion:8.1

Trust: 0.3

vendor:omronmodel:ns8scope:neversion:8.7

Trust: 0.3

vendor:omronmodel:ns5scope:neversion:8.7

Trust: 0.3

vendor:omronmodel:ns15scope:neversion:8.7

Trust: 0.3

vendor:omronmodel:ns12scope:neversion:8.7

Trust: 0.3

vendor:omronmodel:ns10scope:neversion:8.7

Trust: 0.3

sources: IVD: 7d7def40-463f-11e9-b4a6-000c29342cb1 // IVD: e2e3071c-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-04730 // BID: 68836 // CNNVD: CNNVD-201407-596 // JVNDB: JVNDB-2014-003554 // NVD: CVE-2014-2370

CVSS

SEVERITY

CVSSV2

CVSSV3

ics-cert@hq.dhs.gov: CVE-2014-2370
value: MEDIUM

Trust: 1.0

nvd@nist.gov: CVE-2014-2370
value: LOW

Trust: 1.0

NVD: CVE-2014-2370
value: LOW

Trust: 0.8

CNVD: CNVD-2014-04730
value: LOW

Trust: 0.6

CNNVD: CNNVD-201407-596
value: LOW

Trust: 0.6

IVD: 7d7def40-463f-11e9-b4a6-000c29342cb1
value: LOW

Trust: 0.2

IVD: e2e3071c-2351-11e6-abef-000c29c66e3d
value: LOW

Trust: 0.2

VULHUB: VHN-70309
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-2370
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ics-cert@hq.dhs.gov: CVE-2014-2370
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2014-04730
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d7def40-463f-11e9-b4a6-000c29342cb1
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: e2e3071c-2351-11e6-abef-000c29c66e3d
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-70309
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 7d7def40-463f-11e9-b4a6-000c29342cb1 // IVD: e2e3071c-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-04730 // VULHUB: VHN-70309 // CNNVD: CNNVD-201407-596 // JVNDB: JVNDB-2014-003554 // NVD: CVE-2014-2370 // NVD: CVE-2014-2370

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70309 // JVNDB: JVNDB-2014-003554 // NVD: CVE-2014-2370

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-596

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201407-596

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003554

PATCH
title:Scalable HMIurl:http://industrial.omron.us/en/products/catalogue/automation_systems/hmi/scalable_hmi/default.html
Trust: 0.8
title:NS5, NS8, NS10, NS12, NS15, NSH5-V2url:http://www.fa.omron.co.jp/products/family/155/download/catalog.html
Trust: 0.8
title:Omron NS series HMI Terminals HTML Injection Vulnerability Patchurl:https://www.cnvd.org.cn/patchInfo/show/48043
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-04730 // 
            
            
            
            JVNDB: JVNDB-2014-003554

EXTERNAL IDS
db:NVDid:CVE-2014-2370
Trust: 3.8
db:ICS CERTid:ICSA-14-203-01
Trust: 3.4
db:BIDid:68836
Trust: 2.0
db:CNNVDid:CNNVD-201407-596
Trust: 1.1
db:CNVDid:CNVD-2014-04730
Trust: 1.0
db:JVNid:JVNVU97798872
Trust: 0.8
db:JVNDBid:JVNDB-2014-003554
Trust: 0.8
db:IVDid:7D7DEF40-463F-11E9-B4A6-000C29342CB1
Trust: 0.2
db:IVDid:E2E3071C-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-70309
Trust: 0.1
sources:
            
            
            IVD: 7d7def40-463f-11e9-b4a6-000c29342cb1 // 
            
            
            
            IVD: e2e3071c-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-04730 // 
            
            
            
            VULHUB: VHN-70309 // 
            
            
            
            BID: 68836 // 
            
            
            
            CNNVD: CNNVD-201407-596 // 
            
            
            
            JVNDB: JVNDB-2014-003554 // 
            
            
            
            NVD: CVE-2014-2370

REFERENCES
url:http://ics-cert.us-cert.gov/advisories/icsa-14-203-01
Trust: 3.4
url:http://www.securityfocus.com/bid/68836
Trust: 1.1
url:https://www.cisa.gov/news-events/ics-advisories/icsa-14-203-01
Trust: 1.0
url:https://automation.omron.com/en/us/products/
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2370
Trust: 0.8
url:https://jvn.jp/vu/jvnvu97798872/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2370
Trust: 0.8
url:http://industrial.omron.us/en/products/catalogue/automation_systems/hmi/scalable_hmi/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-04730 // 
            
            
            
            VULHUB: VHN-70309 // 
            
            
            
            BID: 68836 // 
            
            
            
            CNNVD: CNNVD-201407-596 // 
            
            
            
            JVNDB: JVNDB-2014-003554 // 
            
            
            
            NVD: CVE-2014-2370

CREDITS
Joel Sevilleja Febrer of S2 Grupo
Trust: 0.3
sources:
            
            
            BID: 68836

SOURCES
db:IVDid:7d7def40-463f-11e9-b4a6-000c29342cb1
db:IVDid:e2e3071c-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-04730
db:VULHUBid:VHN-70309
db:BIDid:68836
db:CNNVDid:CNNVD-201407-596
db:JVNDBid:JVNDB-2014-003554
db:NVDid:CVE-2014-2370

LAST UPDATE DATE
2025-10-07T23:12:16.214000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-04730date:2014-07-31T00:00:00
db:VULHUBid:VHN-70309date:2015-10-08T00:00:00
db:BIDid:68836date:2014-07-22T00:00:00
db:CNNVDid:CNNVD-201407-596date:2014-07-29T00:00:00
db:JVNDBid:JVNDB-2014-003554date:2014-07-25T00:00:00
db:NVDid:CVE-2014-2370date:2025-10-06T18:15:48.843

SOURCES RELEASE DATE
db:IVDid:7d7def40-463f-11e9-b4a6-000c29342cb1date:2014-07-31T00:00:00
db:IVDid:e2e3071c-2351-11e6-abef-000c29c66e3ddate:2014-07-31T00:00:00
db:CNVDid:CNVD-2014-04730date:2014-07-31T00:00:00
db:VULHUBid:VHN-70309date:2014-07-24T00:00:00
db:BIDid:68836date:2014-07-22T00:00:00
db:CNNVDid:CNNVD-201407-596date:2014-07-29T00:00:00
db:JVNDBid:JVNDB-2014-003554date:2014-07-25T00:00:00
db:NVDid:CVE-2014-2370date:2014-07-24T14:55:07.317