Details of VAR-201603-0038

ID

VAR-201603-0038

CVE

CVE-2016-2287

TITLE

XZERES 442SR Wind Turbines Run on 442SR OS Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-001814

DESCRIPTION

Cross-site scripting (XSS) vulnerability in XZERES 442SR OS on 442SR wind turbines allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks

Trust: 1.89

sources: NVD: CVE-2016-2287 // JVNDB: JVNDB-2016-001814 // BID: 85021

AFFECTED PRODUCTS

vendor:	xzeres	model:	442sr os	scope:	eq	version:	-	Trust: 1.6
vendor:	xzeres wind corp	model:	442sr os	scope:	-	version:	-	Trust: 0.8
vendor:	xzeres wind corp	model:	442sr wind turbine	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2016-001814 // CNNVD: CNNVD-201603-279 // NVD: CVE-2016-2287

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2287
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-2287
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201603-279
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2016-2287
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2016-2287
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.0

sources: JVNDB: JVNDB-2016-001814 // CNNVD: CNNVD-201603-279 // NVD: CVE-2016-2287

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2016-001814 // NVD: CVE-2016-2287

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201603-279

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201603-279

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001814

PATCH

title:	XZERES 442SR Wind Turbines	url:	http://www.xzeres.co.uk/wind-turbine-products/xzeres442sr-wind-generator/	Trust: 0.8
title:	XZERES 442SR Wind Turbine OS Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60619	Trust: 0.6

sources: JVNDB: JVNDB-2016-001814 // CNNVD: CNNVD-201603-279

EXTERNAL IDS

db:	NVD	id:	CVE-2016-2287	Trust: 2.7
db:	ICS CERT	id:	ICSA-15-342-01	Trust: 2.4
db:	JVNDB	id:	JVNDB-2016-001814	Trust: 0.8
db:	CNNVD	id:	CNNVD-201603-279	Trust: 0.6
db:	BID	id:	85021	Trust: 0.3

sources: BID: 85021 // JVNDB: JVNDB-2016-001814 // CNNVD: CNNVD-201603-279 // NVD: CVE-2016-2287

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-342-01	Trust: 2.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2287	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2287	Trust: 0.8

sources: JVNDB: JVNDB-2016-001814 // CNNVD: CNNVD-201603-279 // NVD: CVE-2016-2287

CREDITS

Karn Ganeshen.

Trust: 0.3

sources: BID: 85021

SOURCES

db:	BID	id:	85021
db:	JVNDB	id:	JVNDB-2016-001814
db:	CNNVD	id:	CNNVD-201603-279
db:	NVD	id:	CVE-2016-2287

LAST UPDATE DATE

2025-04-12T23:04:31.800000+00:00

SOURCES UPDATE DATE

db:	BID	id:	85021	date:	2015-12-08T00:00:00
db:	JVNDB	id:	JVNDB-2016-001814	date:	2016-03-22T00:00:00
db:	CNNVD	id:	CNNVD-201603-279	date:	2016-03-21T00:00:00
db:	NVD	id:	CVE-2016-2287	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	BID	id:	85021	date:	2015-12-08T00:00:00
db:	JVNDB	id:	JVNDB-2016-001814	date:	2016-03-22T00:00:00
db:	CNNVD	id:	CNNVD-201603-279	date:	2016-03-21T00:00:00
db:	NVD	id:	CVE-2016-2287	date:	2016-03-19T10:59:01.707