Sign-up

ID

VAR-201504-0075


CVE

CVE-2015-0976


TITLE

Inductive Automation Ignition Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: 98f60eec-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02153 // CNNVD: CNNVD-201504-050

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Inductive Automation Ignition 7.7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Ignition is an updated version of FactoryPMI, Human Interface/SCADA, from Inductive Automation. Ignition has a security vulnerability that could allow an attacker to execute malicious content in a vulnerable web application. The server reads the data directly from the HTTP request and then returns it in the HTTP response. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks

Trust: 2.7

sources: NVD: CVE-2015-0976 // JVNDB: JVNDB-2015-002069 // CNVD: CNVD-2015-02153 // BID: 73468 // IVD: 98f60eec-2351-11e6-abef-000c29c66e3d // VULMON: CVE-2015-0976

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: 98f60eec-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02153

AFFECTED PRODUCTS

vendor:inductiveautomationmodel:ignitionscope:eqversion:7.7.2

Trust: 1.6

vendor:inductivemodel:automation ignitionscope:eqversion:7.7.2

Trust: 0.9

vendor:inductive automationmodel:ignitionscope:eqversion:7.7.2

Trust: 0.8

vendor:ignitionmodel: - scope:eqversion:7.7.2

Trust: 0.2

sources: IVD: 98f60eec-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02153 // BID: 73468 // JVNDB: JVNDB-2015-002069 // CNNVD: CNNVD-201504-050 // NVD: CVE-2015-0976

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-0976
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-0976
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-02153
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201504-050
value: MEDIUM

Trust: 0.6

IVD: 98f60eec-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULMON: CVE-2015-0976
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-0976
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2015-02153
severity: MEDIUM
baseScore: 4.7
vectorString: AV:L/AC:H/AU:N/C:C/I:N/A:P
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 1.9
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 98f60eec-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.7
vectorString: AV:L/AC:H/AU:N/C:C/I:N/A:P
accessVector: LOCAL
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 1.9
impactScore: 7.8
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: 98f60eec-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02153 // VULMON: CVE-2015-0976 // JVNDB: JVNDB-2015-002069 // CNNVD: CNNVD-201504-050 // NVD: CVE-2015-0976

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2015-002069 // NVD: CVE-2015-0976

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201504-050

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201504-050

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-002069

PATCH
title:Downloadsurl:https://www.inductiveautomation.com/downloads/ignition
Trust: 0.8
title:Patch for Inductive Automation Ignition Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/56900
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-02153 // 
            
            
            
            JVNDB: JVNDB-2015-002069

EXTERNAL IDS
db:NVDid:CVE-2015-0976
Trust: 3.6
db:ICS CERTid:ICSA-15-090-01
Trust: 3.4
db:CNVDid:CNVD-2015-02153
Trust: 0.8
db:CNNVDid:CNNVD-201504-050
Trust: 0.8
db:JVNDBid:JVNDB-2015-002069
Trust: 0.8
db:BIDid:73468
Trust: 0.3
db:IVDid:98F60EEC-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULMONid:CVE-2015-0976
Trust: 0.1
sources:
            
            
            IVD: 98f60eec-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2015-02153 // 
            
            
            
            VULMON: CVE-2015-0976 // 
            
            
            
            BID: 73468 // 
            
            
            
            JVNDB: JVNDB-2015-002069 // 
            
            
            
            CNNVD: CNNVD-201504-050 // 
            
            
            
            NVD: CVE-2015-0976

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-15-090-01
Trust: 3.4
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0976
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0976
Trust: 0.8
url:http://www.inductiveautomation.com/scada-software
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2015-02153 // 
            
            
            
            VULMON: CVE-2015-0976 // 
            
            
            
            BID: 73468 // 
            
            
            
            JVNDB: JVNDB-2015-002069 // 
            
            
            
            CNNVD: CNNVD-201504-050 // 
            
            
            
            NVD: CVE-2015-0976

CREDITS
Evgeny Druzhinin, Alexey Osipov, Ilya Karpov, and Gleb Gritsai.
Trust: 0.3
sources:
            
            
            BID: 73468

SOURCES
db:IVDid:98f60eec-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2015-02153
db:VULMONid:CVE-2015-0976
db:BIDid:73468
db:JVNDBid:JVNDB-2015-002069
db:CNNVDid:CNNVD-201504-050
db:NVDid:CVE-2015-0976

LAST UPDATE DATE
2025-04-12T23:04:45.311000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-02153date:2015-04-03T00:00:00
db:VULMONid:CVE-2015-0976date:2015-04-03T00:00:00
db:BIDid:73468date:2015-03-31T00:00:00
db:JVNDBid:JVNDB-2015-002069date:2015-04-07T00:00:00
db:CNNVDid:CNNVD-201504-050date:2015-04-07T00:00:00
db:NVDid:CVE-2015-0976date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:IVDid:98f60eec-2351-11e6-abef-000c29c66e3ddate:2015-04-03T00:00:00
db:CNVDid:CNVD-2015-02153date:2015-04-03T00:00:00
db:VULMONid:CVE-2015-0976date:2015-04-03T00:00:00
db:BIDid:73468date:2015-03-31T00:00:00
db:JVNDBid:JVNDB-2015-002069date:2015-04-07T00:00:00
db:CNNVDid:CNNVD-201504-050date:2015-04-07T00:00:00
db:NVDid:CVE-2015-0976date:2015-04-03T10:59:11.333