Details of VAR-201510-0193

ID

VAR-201510-0193

CVE

CVE-2015-6477

TITLE

Nordex Control 2 SCADA of Wind Farm Portal Application cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-005367

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Wind Farm Portal application in Nordex Control 2 (NC2) SCADA 16 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Nordex Control 2 is a web-based SCADA system for wind power plants. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Nordex Control 2 (NC2) SCADA 16 and prior versions are vulnerable

Trust: 2.79

sources: NVD: CVE-2015-6477 // JVNDB: JVNDB-2015-005367 // CNVD: CNVD-2015-06784 // BID: 77075 // IVD: 7c6016ce-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-84438 // VULMON: CVE-2015-6477

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 7c6016ce-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06784

AFFECTED PRODUCTS

vendor:	nordex	model:	control 2 scada	scope:	lte	version:	16	Trust: 1.8
vendor:	nordex	model:	se nordex control scada	scope:	eq	version:	2<=16	Trust: 0.6
vendor:	nordex	model:	control 2 scada	scope:	eq	version:	16	Trust: 0.6
vendor:	nordex	model:	control scada	scope:	eq	version:	216	Trust: 0.3
vendor:	nordex	model:	control scada	scope:	eq	version:	215	Trust: 0.3
vendor:	nordex control 2 scada	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 7c6016ce-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06784 // BID: 77075 // JVNDB: JVNDB-2015-005367 // CNNVD: CNNVD-201510-325 // NVD: CVE-2015-6477

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6477
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-6477
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-06784
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201510-325
value:	MEDIUM
Trust: 0.6
IVD:	7c6016ce-2351-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-84438
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2015-6477
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-6477
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2015-06784
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7c6016ce-2351-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-84438
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 7c6016ce-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06784 // VULHUB: VHN-84438 // VULMON: CVE-2015-6477 // JVNDB: JVNDB-2015-005367 // CNNVD: CNNVD-201510-325 // NVD: CVE-2015-6477

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-84438 // JVNDB: JVNDB-2015-005367 // NVD: CVE-2015-6477

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201510-325

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201510-325

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-005367

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-84438

PATCH

title:	NORDEX CONTROL 2	url:	http://www.nordex-online.com/fileadmin/MEDIA/Sonstiges/Nordex_Control_2_EN.pdf	Trust: 0.8
title:	Nordex NC2 has multiple patches for cross-site scripting vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/65559	Trust: 0.6
title:	Nordex Control 2 Wind Farm Portal Fixes for application cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58173	Trust: 0.6
title:	Kenzer Templates [5170] [DEPRECATED]	url:	https://github.com/ARPSyndicate/kenzer-templates	Trust: 0.1

sources: CNVD: CNVD-2015-06784 // VULMON: CVE-2015-6477 // JVNDB: JVNDB-2015-005367 // CNNVD: CNNVD-201510-325

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6477	Trust: 3.7
db:	ICS CERT	id:	ICSA-15-286-01	Trust: 3.5
db:	PACKETSTORM	id:	135068	Trust: 1.2
db:	CNNVD	id:	CNNVD-201510-325	Trust: 0.9
db:	CNVD	id:	CNVD-2015-06784	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-005367	Trust: 0.8
db:	BID	id:	77075	Trust: 0.4
db:	IVD	id:	7C6016CE-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-84438	Trust: 0.1
db:	VULMON	id:	CVE-2015-6477	Trust: 0.1

sources: IVD: 7c6016ce-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06784 // VULHUB: VHN-84438 // VULMON: CVE-2015-6477 // BID: 77075 // JVNDB: JVNDB-2015-005367 // CNNVD: CNNVD-201510-325 // NVD: CVE-2015-6477

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-286-01	Trust: 3.5
url:	http://packetstormsecurity.com/files/135068/nordex-control-2-nc2-scada-16-cross-site-scripting.html	Trust: 1.3
url:	http://seclists.org/fulldisclosure/2015/dec/117	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6477	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6477	Trust: 0.8
url:	http://www.nordex-online.com/fileadmin/media/sonstiges/nordex_control_2_en.pdf	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/arpsyndicate/kenzer-templates	Trust: 0.1

sources: CNVD: CNVD-2015-06784 // VULHUB: VHN-84438 // VULMON: CVE-2015-6477 // BID: 77075 // JVNDB: JVNDB-2015-005367 // CNNVD: CNNVD-201510-325 // NVD: CVE-2015-6477

CREDITS

Karn Ganeshen

Trust: 0.3

sources: BID: 77075

SOURCES

db:	IVD	id:	7c6016ce-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-06784
db:	VULHUB	id:	VHN-84438
db:	VULMON	id:	CVE-2015-6477
db:	BID	id:	77075
db:	JVNDB	id:	JVNDB-2015-005367
db:	CNNVD	id:	CNNVD-201510-325
db:	NVD	id:	CVE-2015-6477

LAST UPDATE DATE

2025-04-13T23:39:37.335000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-06784	date:	2015-10-22T00:00:00
db:	VULHUB	id:	VHN-84438	date:	2016-12-07T00:00:00
db:	VULMON	id:	CVE-2015-6477	date:	2016-12-07T00:00:00
db:	BID	id:	77075	date:	2015-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2015-005367	date:	2015-10-20T00:00:00
db:	CNNVD	id:	CNNVD-201510-325	date:	2015-10-19T00:00:00
db:	NVD	id:	CVE-2015-6477	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	7c6016ce-2351-11e6-abef-000c29c66e3d	date:	2015-10-22T00:00:00
db:	CNVD	id:	CNVD-2015-06784	date:	2015-10-22T00:00:00
db:	VULHUB	id:	VHN-84438	date:	2015-10-18T00:00:00
db:	VULMON	id:	CVE-2015-6477	date:	2015-10-18T00:00:00
db:	BID	id:	77075	date:	2015-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2015-005367	date:	2015-10-20T00:00:00
db:	CNNVD	id:	CNNVD-201510-325	date:	2015-10-19T00:00:00
db:	NVD	id:	CVE-2015-6477	date:	2015-10-18T19:59:01.400