Sign-up

ID

VAR-201408-0349


CVE

CVE-2014-5397


TITLE

Schneider Electric Wonderware Information Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-003983

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Invensys Wonderware Information Server is a graphical visualization, reporting and analysis of real-time network-based plant operations data that helps drive productivity across the enterprise. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following versions are vulnerable: Wonderware Information Server 4.0 SP1 Wonderware Information Server 4.5 Portal Wonderware Information Server 5.0 Portal Wonderware Information Server 5.5 Portal. The program supports dashboards, pre-designed industrial activity reports, etc., and provides processes for analysis or write-back mechanisms

Trust: 2.79

sources: NVD: CVE-2014-5397 // JVNDB: JVNDB-2014-003983 // CNVD: CNVD-2014-05271 // BID: 69418 // IVD: dbde3a0e-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-73338 // VULMON: CVE-2014-5397

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: dbde3a0e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05271

AFFECTED PRODUCTS

vendor:invensysmodel:wonderware information serverscope:eqversion:5.5

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:4.5

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:4.0

Trust: 1.6

vendor:invensysmodel:wonderware information serverscope:eqversion:5.0

Trust: 1.6

vendor:invensysmodel:wonderware information server sp1scope:eqversion:4.0

Trust: 0.9

vendor:invensysmodel:wonderware information server portalscope:eqversion:4.5

Trust: 0.9

vendor:invensysmodel:wonderware information serverscope:eqversion:portal 4.0 sp1 to 5.5

Trust: 0.8

vendor:invensysmodel:wonderware information server portalscope:eqversion:5.0

Trust: 0.6

vendor:invensysmodel:wonderware information server portalscope:eqversion:5.5

Trust: 0.6

vendor:wonderware information servermodel: - scope:eqversion:4.0

Trust: 0.4

vendor:wonderware information servermodel: - scope:eqversion:4.5

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:5.0

Trust: 0.2

vendor:wonderware information servermodel: - scope:eqversion:5.5

Trust: 0.2

sources: IVD: dbde3a0e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05271 // BID: 69418 // JVNDB: JVNDB-2014-003983 // CNNVD: CNNVD-201408-432 // NVD: CVE-2014-5397

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-5397
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-5397
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-05271
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201408-432
value: MEDIUM

Trust: 0.6

IVD: dbde3a0e-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-73338
value: MEDIUM

Trust: 0.1

VULMON: CVE-2014-5397
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-5397
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2014-05271
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: dbde3a0e-2351-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-73338
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: dbde3a0e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-05271 // VULHUB: VHN-73338 // VULMON: CVE-2014-5397 // JVNDB: JVNDB-2014-003983 // CNNVD: CNNVD-201408-432 // NVD: CVE-2014-5397

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-73338 // JVNDB: JVNDB-2014-003983 // NVD: CVE-2014-5397

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201408-432

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201408-432

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003983

PATCH
title:Wonderware Information Serverurl:http://software.invensys.com/products/wonderware/production-information-management/information-server/
Trust: 0.8
title:Patch for Invensys Wonderware Information Server Cross-Site Scripting Vulnerability (CNVD-2014-05271)url:https://www.cnvd.org.cn/patchInfo/show/49429
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-05271 // 
            
            
            
            JVNDB: JVNDB-2014-003983

EXTERNAL IDS
db:NVDid:CVE-2014-5397
Trust: 3.8
db:ICS CERTid:ICSA-14-238-02
Trust: 3.2
db:BIDid:69418
Trust: 2.1
db:CNNVDid:CNNVD-201408-432
Trust: 0.9
db:CNVDid:CNVD-2014-05271
Trust: 0.8
db:JVNDBid:JVNDB-2014-003983
Trust: 0.8
db:IVDid:DBDE3A0E-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-73338
Trust: 0.1
db:VULMONid:CVE-2014-5397
Trust: 0.1
db:PACKETSTORMid:128111
Trust: 0.1
sources:
            
            
            IVD: dbde3a0e-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-05271 // 
            
            
            
            VULHUB: VHN-73338 // 
            
            
            
            VULMON: CVE-2014-5397 // 
            
            
            
            BID: 69418 // 
            
            
            
            JVNDB: JVNDB-2014-003983 // 
            
            
            
            PACKETSTORM: 128111 // 
            
            
            
            CNNVD: CNNVD-201408-432 // 
            
            
            
            NVD: CVE-2014-5397

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-14-238-02
Trust: 3.3
url:http://www.securityfocus.com/bid/69418
Trust: 1.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5397
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5397
Trust: 0.8
url:http://www.securityfocus.com/bid/69418/info
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-5398
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-5399
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-5397
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-2381
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-2380
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2014-05271 // 
            
            
            
            VULHUB: VHN-73338 // 
            
            
            
            VULMON: CVE-2014-5397 // 
            
            
            
            JVNDB: JVNDB-2014-003983 // 
            
            
            
            PACKETSTORM: 128111 // 
            
            
            
            CNNVD: CNNVD-201408-432 // 
            
            
            
            NVD: CVE-2014-5397

CREDITS
Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team
Trust: 0.3
sources:
            
            
            BID: 69418

SOURCES
db:IVDid:dbde3a0e-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-05271
db:VULHUBid:VHN-73338
db:VULMONid:CVE-2014-5397
db:BIDid:69418
db:JVNDBid:JVNDB-2014-003983
db:PACKETSTORMid:128111
db:CNNVDid:CNNVD-201408-432
db:NVDid:CVE-2014-5397

LAST UPDATE DATE
2025-04-13T23:04:56.112000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-05271date:2014-08-28T00:00:00
db:VULHUBid:VHN-73338date:2015-10-21T00:00:00
db:VULMONid:CVE-2014-5397date:2015-10-21T00:00:00
db:BIDid:69418date:2015-03-19T09:39:00
db:JVNDBid:JVNDB-2014-003983date:2014-08-29T00:00:00
db:CNNVDid:CNNVD-201408-432date:2014-08-29T00:00:00
db:NVDid:CVE-2014-5397date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:dbde3a0e-2351-11e6-abef-000c29c66e3ddate:2014-08-28T00:00:00
db:CNVDid:CNVD-2014-05271date:2014-08-28T00:00:00
db:VULHUBid:VHN-73338date:2014-08-28T00:00:00
db:VULMONid:CVE-2014-5397date:2014-08-28T00:00:00
db:BIDid:69418date:2014-08-26T00:00:00
db:JVNDBid:JVNDB-2014-003983date:2014-08-29T00:00:00
db:PACKETSTORMid:128111date:2014-09-01T14:55:55
db:CNNVDid:CNNVD-201408-432date:2014-08-29T00:00:00
db:NVDid:CVE-2014-5397date:2014-08-28T01:55:03.543