Sign-up

ID

VAR-201411-0418


CVE

CVE-2014-5408


TITLE

Nordex NC2 'username' Parameter Cross-Site Scripting Vulnerability

Trust: 0.8

sources: IVD: bb54805e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08097

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the login script in the Wind Farm Portal on Nordex Control 2 (NC2) SCADA devices 15 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter. Nordex Control 2 is a fan control system. Nordex Control 2 (NC2) A cross-site scripting vulnerability exists in versions prior to SCADA 16. Because the program failed to properly filter the 'username' parameter, remote attackers exploited the vulnerability to build malicious URIs, enticing users to parse, get sensitive cookies, hijack sessions or Malicious operations on the client. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Nordex NC2 (also known as Nordex Control 2) is a set of SCADA (Data Acquisition and Supervisory Control) system used in the wind power industry by Nordex, Germany. Wind Farm Portal is a wind farm control portal based on this system

Trust: 2.7

sources: NVD: CVE-2014-5408 // JVNDB: JVNDB-2014-005257 // CNVD: CNVD-2014-08097 // BID: 70851 // IVD: bb54805e-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-73349

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: bb54805e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08097

AFFECTED PRODUCTS

vendor:nordexmodel:control 2 scadascope:lteversion:15

Trust: 1.8

vendor:nordexmodel:se nordex control scadascope:eqversion:216

Trust: 0.6

vendor:nordexmodel:control 2 scadascope:eqversion:15

Trust: 0.6

vendor:nordexmodel:control scadascope:eqversion:216

Trust: 0.3

vendor:nordex control 2 scadamodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: bb54805e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08097 // BID: 70851 // JVNDB: JVNDB-2014-005257 // CNNVD: CNNVD-201411-005 // NVD: CVE-2014-5408

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-5408
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-5408
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-08097
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201411-005
value: MEDIUM

Trust: 0.6

IVD: bb54805e-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-73349
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-5408
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-08097
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: bb54805e-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-73349
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: bb54805e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-08097 // VULHUB: VHN-73349 // JVNDB: JVNDB-2014-005257 // CNNVD: CNNVD-201411-005 // NVD: CVE-2014-5408

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-73349 // JVNDB: JVNDB-2014-005257 // NVD: CVE-2014-5408

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201411-005

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201411-005

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-005257

PATCH
title:NORDEX CONTROL 2url:http://www.nordex-online.com/fileadmin/MEDIA/Sonstiges/Nordex_Control_2_EN.pdf
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-005257

EXTERNAL IDS
db:NVDid:CVE-2014-5408
Trust: 3.6
db:ICS CERTid:ICSA-14-303-01
Trust: 2.8
db:BIDid:70851
Trust: 2.6
db:CNNVDid:CNNVD-201411-005
Trust: 0.9
db:CNVDid:CNVD-2014-08097
Trust: 0.8
db:JVNDBid:JVNDB-2014-005257
Trust: 0.8
db:IVDid:BB54805E-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-73349
Trust: 0.1
sources:
            
            
            IVD: bb54805e-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2014-08097 // 
            
            
            
            VULHUB: VHN-73349 // 
            
            
            
            BID: 70851 // 
            
            
            
            JVNDB: JVNDB-2014-005257 // 
            
            
            
            CNNVD: CNNVD-201411-005 // 
            
            
            
            NVD: CVE-2014-5408

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-14-303-01
Trust: 2.8
url:http://www.securityfocus.com/bid/70851
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5408
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-5408
Trust: 0.8
url:http://www.securityfocus.com/bid/70851/
Trust: 0.6
url:http://www.nordex-online.com/en/products-services/wind-turbines.html
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-08097 // 
            
            
            
            VULHUB: VHN-73349 // 
            
            
            
            BID: 70851 // 
            
            
            
            JVNDB: JVNDB-2014-005257 // 
            
            
            
            CNNVD: CNNVD-201411-005 // 
            
            
            
            NVD: CVE-2014-5408

CREDITS
Darius Freamon
Trust: 0.9
sources:
            
            
            BID: 70851 // 
            
            
            
            CNNVD: CNNVD-201411-005

SOURCES
db:IVDid:bb54805e-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2014-08097
db:VULHUBid:VHN-73349
db:BIDid:70851
db:JVNDBid:JVNDB-2014-005257
db:CNNVDid:CNNVD-201411-005
db:NVDid:CVE-2014-5408

LAST UPDATE DATE
2025-04-13T23:04:43.937000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-08097date:2014-11-06T00:00:00
db:VULHUBid:VHN-73349date:2015-08-06T00:00:00
db:BIDid:70851date:2014-10-30T00:00:00
db:JVNDBid:JVNDB-2014-005257date:2014-11-07T00:00:00
db:CNNVDid:CNNVD-201411-005date:2014-11-06T00:00:00
db:NVDid:CVE-2014-5408date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:bb54805e-2351-11e6-abef-000c29c66e3ddate:2014-11-06T00:00:00
db:CNVDid:CNVD-2014-08097date:2014-11-06T00:00:00
db:VULHUBid:VHN-73349date:2014-11-05T00:00:00
db:BIDid:70851date:2014-10-30T00:00:00
db:JVNDBid:JVNDB-2014-005257date:2014-11-07T00:00:00
db:CNNVDid:CNNVD-201411-005date:2014-10-30T00:00:00
db:NVDid:CVE-2014-5408date:2014-11-05T11:55:06.437