Details of VAR-201409-0722

ID

VAR-201409-0722

CVE

CVE-2014-5411

TITLE

Schneider Electric ClearSCADA Cross-Site Scripting Vulnerability

Trust: 1.0

sources: IVD: 770608ec-1eb9-11e6-abef-000c29c66e3d // IVD: dcdeebb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-06196

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. A cross-site scripting vulnerability exists in the ClearSCADA WEB interface that allows an attacker to exploit a vulnerability to construct a malicious URI, to induce user resolution, and to perform system management operations. Scada Expert Clearscada is prone to a cross-site scripting vulnerability. Schneider Electric StruxureWare SCADA Expert ClearSCADA is a set of energy efficiency management software monitoring platform of French Schneider Electric (Schneider Electric). The platform is primarily used for remote management of critical infrastructure

Trust: 2.88

sources: NVD: CVE-2014-5411 // JVNDB: JVNDB-2014-004282 // CNVD: CNVD-2014-06196 // BID: 80073 // IVD: 770608ec-1eb9-11e6-abef-000c29c66e3d // IVD: dcdeebb0-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-73352

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: 770608ec-1eb9-11e6-abef-000c29c66e3d // IVD: dcdeebb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-06196

AFFECTED PRODUCTS

vendor:	clearscada	model:	-	scope:	eq	version:	2013	Trust: 2.0
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2014	Trust: 1.6
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2013	Trust: 1.6
vendor:	aveva	model:	clearscada	scope:	eq	version:	2010	Trust: 1.0
vendor:	aveva	model:	clearscada	scope:	eq	version:	2013	Trust: 1.0
vendor:	clearscada	model:	-	scope:	eq	version:	2010	Trust: 0.8
vendor:	schneider electric	model:	clearscada	scope:	eq	version:	2010 r3 (build 72.4560)	Trust: 0.8
vendor:	schneider electric	model:	clearscada	scope:	eq	version:	2010 r3.1 (build 72.4644)	Trust: 0.8
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2013 r1 (build 73.4729)	Trust: 0.8
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2013 r1.1 (build 73.4832)	Trust: 0.8
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2013 r1.1a (build 73.4903)	Trust: 0.8
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2013 r1.2 (build 73.4955)	Trust: 0.8
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2013 r2 (build 74.5094)	Trust: 0.8
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2013 r2.1 (build 74.5192)	Trust: 0.8
vendor:	schneider electric	model:	scada expert clearscada	scope:	eq	version:	2014 r1 (build 75.5210)	Trust: 0.8
vendor:	schneider	model:	electric clearscada r3 (build	scope:	eq	version:	201072.4560)	Trust: 0.6
vendor:	schneider	model:	electric clearscada r3.1 (build	scope:	eq	version:	201072.4644)	Trust: 0.6
vendor:	schneider	model:	electric scada expert clearscada r1 (build	scope:	eq	version:	201373.4729)	Trust: 0.6
vendor:	schneider	model:	electric scada expert clearscada r1.1 (build	scope:	eq	version:	201373.4832)	Trust: 0.6
vendor:	schneider	model:	electric scada expert clearscada r1.1a (build	scope:	eq	version:	201373.4903)	Trust: 0.6
vendor:	schneider	model:	electric scada expert clearscada r1.2 (build	scope:	eq	version:	201373.4955)	Trust: 0.6
vendor:	schneider	model:	electric scada expert clearscada r2 (build	scope:	eq	version:	201374.5094)	Trust: 0.6
vendor:	schneider	model:	electric scada expert clearscada r2.1 (build	scope:	eq	version:	201374.5192)	Trust: 0.6
vendor:	schneider	model:	electric scada expert clearscada r1 (build	scope:	eq	version:	201475.5210)	Trust: 0.6
vendor:	schneider electric	model:	clearscada	scope:	eq	version:	2010	Trust: 0.6
vendor:	scada expert clearscada	model:	-	scope:	eq	version:	2013	Trust: 0.4
vendor:	scada expert clearscada	model:	-	scope:	eq	version:	2014	Trust: 0.4
vendor:	schneider electric	model:	scada expert clearscada r1	scope:	eq	version:	2014	Trust: 0.3
vendor:	schneider electric	model:	scada expert clearscada r2.1	scope:	eq	version:	2013	Trust: 0.3
vendor:	schneider electric	model:	scada expert clearscada r2	scope:	eq	version:	2013	Trust: 0.3
vendor:	schneider electric	model:	scada expert clearscada r1.2	scope:	eq	version:	2013	Trust: 0.3
vendor:	schneider electric	model:	scada expert clearscada r1.1a	scope:	eq	version:	2013	Trust: 0.3
vendor:	schneider electric	model:	scada expert clearscada r1.1	scope:	eq	version:	2013	Trust: 0.3
vendor:	schneider electric	model:	scada expert clearscada r1	scope:	eq	version:	2013	Trust: 0.3
vendor:	schneider electric	model:	clearscada r3.1	scope:	eq	version:	2010	Trust: 0.3
vendor:	schneider electric	model:	clearscada r3	scope:	eq	version:	2010	Trust: 0.3

sources: IVD: 770608ec-1eb9-11e6-abef-000c29c66e3d // IVD: dcdeebb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-06196 // BID: 80073 // JVNDB: JVNDB-2014-004282 // CNNVD: CNNVD-201409-656 // NVD: CVE-2014-5411

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-5411
value:	LOW
Trust: 1.0
NVD:	CVE-2014-5411
value:	LOW
Trust: 0.8
CNVD:	CNVD-2014-06196
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201409-656
value:	LOW
Trust: 0.6
IVD:	770608ec-1eb9-11e6-abef-000c29c66e3d
value:	LOW
Trust: 0.2
IVD:	dcdeebb0-2351-11e6-abef-000c29c66e3d
value:	LOW
Trust: 0.2
VULHUB:	VHN-73352
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2014-5411
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2014-06196
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	770608ec-1eb9-11e6-abef-000c29c66e3d
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	dcdeebb0-2351-11e6-abef-000c29c66e3d
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-73352
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 770608ec-1eb9-11e6-abef-000c29c66e3d // IVD: dcdeebb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-06196 // VULHUB: VHN-73352 // JVNDB: JVNDB-2014-004282 // CNNVD: CNNVD-201409-656 // NVD: CVE-2014-5411

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-73352 // JVNDB: JVNDB-2014-004282 // NVD: CVE-2014-5411

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201409-656

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201409-656

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-004282

PATCH

title:	StruxureWare SCADA Expert ClearSCADA	url:	http://www.schneider-electric.com/products/ww/en/5100-software/5135-operating-monitoring/61264-struxureware-scada-expert-clearscada/?xtmc=ClearSCADA&xtcr=1	Trust: 0.8
title:	Patch for Schneider Electric ClearSCADA Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/50244	Trust: 0.6

sources: CNVD: CNVD-2014-06196 // JVNDB: JVNDB-2014-004282

EXTERNAL IDS

db:	NVD	id:	CVE-2014-5411	Trust: 3.8
db:	ICS CERT	id:	ICSA-14-259-01	Trust: 3.4
db:	CNVD	id:	CNVD-2014-06196	Trust: 1.0
db:	CNNVD	id:	CNNVD-201409-656	Trust: 1.0
db:	JVNDB	id:	JVNDB-2014-004282	Trust: 0.8
db:	OSVDB	id:	111238	Trust: 0.6
db:	BID	id:	80073	Trust: 0.4
db:	IVD	id:	770608EC-1EB9-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	IVD	id:	DCDEEBB0-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-73352	Trust: 0.1

sources: IVD: 770608ec-1eb9-11e6-abef-000c29c66e3d // IVD: dcdeebb0-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-06196 // VULHUB: VHN-73352 // BID: 80073 // JVNDB: JVNDB-2014-004282 // CNNVD: CNNVD-201409-656 // NVD: CVE-2014-5411

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-14-259-01	Trust: 3.4
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5411	Trust: 1.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5411	Trust: 0.8
url:	http://osvdb.com/show/osvdb/111238	Trust: 0.6

sources: CNVD: CNVD-2014-06196 // VULHUB: VHN-73352 // BID: 80073 // JVNDB: JVNDB-2014-004282 // CNNVD: CNNVD-201409-656 // NVD: CVE-2014-5411

CREDITS

Unknown

Trust: 0.3

sources: BID: 80073

SOURCES

db:	IVD	id:	770608ec-1eb9-11e6-abef-000c29c66e3d
db:	IVD	id:	dcdeebb0-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2014-06196
db:	VULHUB	id:	VHN-73352
db:	BID	id:	80073
db:	JVNDB	id:	JVNDB-2014-004282
db:	CNNVD	id:	CNNVD-201409-656
db:	NVD	id:	CVE-2014-5411

LAST UPDATE DATE

2025-04-13T23:22:32.425000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2014-06196	date:	2014-09-23T00:00:00
db:	VULHUB	id:	VHN-73352	date:	2018-12-31T00:00:00
db:	BID	id:	80073	date:	2014-09-18T00:00:00
db:	JVNDB	id:	JVNDB-2014-004282	date:	2014-09-19T00:00:00
db:	CNNVD	id:	CNNVD-201409-656	date:	2014-09-19T00:00:00
db:	NVD	id:	CVE-2014-5411	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	770608ec-1eb9-11e6-abef-000c29c66e3d	date:	2014-09-23T00:00:00
db:	IVD	id:	dcdeebb0-2351-11e6-abef-000c29c66e3d	date:	2014-09-23T00:00:00
db:	CNVD	id:	CNVD-2014-06196	date:	2014-09-23T00:00:00
db:	VULHUB	id:	VHN-73352	date:	2014-09-18T00:00:00
db:	BID	id:	80073	date:	2014-09-18T00:00:00
db:	JVNDB	id:	JVNDB-2014-004282	date:	2014-09-19T00:00:00
db:	CNNVD	id:	CNNVD-201409-656	date:	2014-09-19T00:00:00
db:	NVD	id:	CVE-2014-5411	date:	2014-09-18T10:55:11.640