fkie_nvd - fkie_cve-2014-5411

FKIE_CVE-2014-5411

Vulnerability from fkie_nvd - Published: 2014-09-18 10:55 - Updated: 2025-11-04 23:15

Severity ?

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

References

URL	Tags
ics-cert@hq.dhs.gov	https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-259-01a.json
ics-cert@hq.dhs.gov	https://www.cisa.gov/news-events/ics-advisories/icsa-14-259-01a
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
aveva	clearscada	2010
aveva	clearscada	2010
aveva	clearscada	2013
aveva	clearscada	2013
aveva	clearscada	2013
aveva	clearscada	2013
aveva	clearscada	2013
schneider-electric	scada_expert_clearscada	2013
schneider-electric	scada_expert_clearscada	2014

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:aveva:clearscada:2010:r3:*:*:*:*:*:*",
              "matchCriteriaId": "AAD213FA-E444-4DDB-B593-CC79C45D92F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:aveva:clearscada:2010:r3.1:*:*:*:*:*:*",
              "matchCriteriaId": "E4FBC203-019A-4DE0-97ED-F0A4872B4E55",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:aveva:clearscada:2013:r1:*:*:*:*:*:*",
              "matchCriteriaId": "0733DE5C-D168-4A2B-996F-E2BE671FB4C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:aveva:clearscada:2013:r1.1:*:*:*:*:*:*",
              "matchCriteriaId": "9A22FFBF-1EAF-478B-A8F4-5EDBDCAE8F41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:aveva:clearscada:2013:r1.1a:*:*:*:*:*:*",
              "matchCriteriaId": "64BF21B8-F98E-46C5-A1AC-FE7DBD45D80F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:aveva:clearscada:2013:r1.2:*:*:*:*:*:*",
              "matchCriteriaId": "A2115F6A-1689-4121-99FA-5821C78BA394",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:aveva:clearscada:2013:r2:*:*:*:*:*:*",
              "matchCriteriaId": "D2F240E9-4C6F-4257-9F20-456B736569CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:scada_expert_clearscada:2013:r2.1:*:*:*:*:*:*",
              "matchCriteriaId": "D2B6A429-6195-4213-A851-AF95A9C187F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:schneider-electric:scada_expert_clearscada:2014:r1:*:*:*:*:*:*",
              "matchCriteriaId": "84521A6D-AB6D-4518-A642-9BA4400DC599",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de XSS en Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 hasta 2014 R1 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
    }
  ],
  "id": "CVE-2014-5411",
  "lastModified": "2025-11-04T23:15:33.223",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 4.9,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary",
        "userInteractionRequired": true
      },
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-09-18T10:55:11.640",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-259-01a.json"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-259-01a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

CVE-2014-5411 (GCVE-0-2014-5411)

Vulnerability from cvelistv5 – Published: 2014-09-18 10:00 – Updated: 2025-11-04 22:53

Summary

Severity ?

No CVSS data available.

CWE

CWE-79

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	https://github.com/cisagov/CSAF/blob/develop/csaf…

Impacted products

Vendor

Product

Version

Schneider Electric

ClearSCADA

Affected: 2010 R3 (build 72.4560)
Affected: 2010 R3.1 (build 72.4644)
Unaffected: 2010 R3.2

Schneider Electric

SCADA Expert ClearSCADA

Affected: 2013 R1 (build 73.4729)
Affected: 2013 R1.1 (build 73.4832)
Affected: 2013 R1.1a (build 73.4903)
Affected: 2013 R1.2 (build 73.4955)
Affected: 2013 R2 (build 74.5094)
Affected: 2013 R2.1 (build 74.5192)
Affected: 2014 R1 (build 75.5210)
Unaffected: 2014 R1.1

Credits

Aditya Sood

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T11:41:49.172Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ClearSCADA",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "2010 R3 (build 72.4560)"
            },
            {
              "status": "affected",
              "version": "2010 R3.1 (build 72.4644)"
            },
            {
              "status": "unaffected",
              "version": "2010 R3.2"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "SCADA Expert ClearSCADA",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "status": "affected",
              "version": "2013 R1 (build 73.4729)"
            },
            {
              "status": "affected",
              "version": "2013 R1.1 (build 73.4832)"
            },
            {
              "status": "affected",
              "version": "2013 R1.1a (build 73.4903)"
            },
            {
              "status": "affected",
              "version": "2013 R1.2 (build 73.4955)"
            },
            {
              "status": "affected",
              "version": "2013 R2 (build 74.5094)"
            },
            {
              "status": "affected",
              "version": "2013 R2.1 (build 74.5192)"
            },
            {
              "status": "affected",
              "version": "2014 R1 (build 75.5210)"
            },
            {
              "status": "unaffected",
              "version": "2014 R1.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Aditya Sood"
        }
      ],
      "datePublic": "2014-09-16T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMultiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.\u003c/p\u003e"
            }
          ],
          "value": "Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 4.9,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:C",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-04T22:53:17.900Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-259-01a"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-259-01a.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSchneider Electric advises all ClearSCADA users to take steps to \nsecure the interfaces to the ClearSCADA system. The ClearSCADA database \nsecurity configuration should be reviewed and updated to limit all \nsystem access to authorized users only. The access permissions of \nexisting users should be reduced to only those required by their role \n(e.g., removing any higher level System Administration privileges from \nOperations or Engineering users), and specific accounts should be \ncreated with appropriate permissions for performing System \nAdministration tasks.\u003c/p\u003e\n\u003cp\u003eExisting ClearSCADA customers using WebX can protect their system \nfrom cross-site scripting attacks by disabling the \u201cAllow database \nshutdown via WebX\u201d option within the ClearSCADA Server Configuration \nutility.\u003c/p\u003e\n\u003cp\u003eExisting ClearSCADA customers should take measures to ensure their \nsystem does not grant any system access until users have supplied a \nvalid username and password.\u003c/p\u003e\n\u003cp\u003eSchneider Electric has corrected the default user security \npermissions; however, upgrading an existing vulnerable installation to a\n new version will not affect existing configured database security \npermissions. Therefore, the measures suggested here are strongly \nrecommended for all users.\u003c/p\u003e\n\u003cp\u003eSchneider Electric has corrected these vulnerabilities in the following service packs:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eClearSCADA 2010 R3.2, Released October 2014, and\u003c/li\u003e\n\u003cli\u003eSCADA Expert ClearSCADA 2014 R1.1, Released October 2014.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eIf asset owners wish to upgrade to a new ClearSCADA Service Pack, \nplease contact the local Schneider Electric office for the latest \nsoftware version for ClearSCADA; alternatively, these new versions are \navailable for direct download from the Schneider Electric web site. To \nupdate their license (not required when upgrading to a service pack of \nthe same version), asset owners are required to complete and submit an \nonline form, which is available here:\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update+Request+Form\"\u003ehttp://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update...\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eNew Service packs for ClearSCADA are available for download here:\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://resourcecenter.controlmicrosystems.com/display/CS/SCADA+Expert+ClearSCADA+Support\"\u003ehttp://resourcecenter.controlmicrosystems.com/display/CS/SCADA+Expert+ClearSCADA+Support\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eGeneral instructions on how to upgrade the ClearSCADA license (if required) are available here:\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://resourcecenter.controlmicrosystems.com/display/CS/Updating+Your+ClearSCADA+License\"\u003ehttp://resourcecenter.controlmicrosystems.com/display/CS/Updating+Your+ClearSCADA+License\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Schneider Electric advises all ClearSCADA users to take steps to \nsecure the interfaces to the ClearSCADA system. The ClearSCADA database \nsecurity configuration should be reviewed and updated to limit all \nsystem access to authorized users only. The access permissions of \nexisting users should be reduced to only those required by their role \n(e.g., removing any higher level System Administration privileges from \nOperations or Engineering users), and specific accounts should be \ncreated with appropriate permissions for performing System \nAdministration tasks.\n\n\nExisting ClearSCADA customers using WebX can protect their system \nfrom cross-site scripting attacks by disabling the \u201cAllow database \nshutdown via WebX\u201d option within the ClearSCADA Server Configuration \nutility.\n\n\nExisting ClearSCADA customers should take measures to ensure their \nsystem does not grant any system access until users have supplied a \nvalid username and password.\n\n\nSchneider Electric has corrected the default user security \npermissions; however, upgrading an existing vulnerable installation to a\n new version will not affect existing configured database security \npermissions. Therefore, the measures suggested here are strongly \nrecommended for all users.\n\n\nSchneider Electric has corrected these vulnerabilities in the following service packs:\n\n\n\n  *  ClearSCADA 2010 R3.2, Released October 2014, and\n\n  *  SCADA Expert ClearSCADA 2014 R1.1, Released October 2014.\n\n\n\n\nIf asset owners wish to upgrade to a new ClearSCADA Service Pack, \nplease contact the local Schneider Electric office for the latest \nsoftware version for ClearSCADA; alternatively, these new versions are \navailable for direct download from the Schneider Electric web site. To \nupdate their license (not required when upgrading to a service pack of \nthe same version), asset owners are required to complete and submit an \nonline form, which is available here:\n\n\n http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update... http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update+Request+Form \n\n\nNew Service packs for ClearSCADA are available for download here:\n\n\n http://resourcecenter.controlmicrosystems.com/display/CS/SCADA+Expert+ClearSCADA+Support \n\n\nGeneral instructions on how to upgrade the ClearSCADA license (if required) are available here:\n\n\n http://resourcecenter.controlmicrosystems.com/display/CS/Updating+Your+ClearSCADA+License"
        }
      ],
      "source": {
        "advisory": "ICSA-14-259-01",
        "discovery": "EXTERNAL"
      },
      "title": "Schneider Electric SCADA Expert ClearSCADA Cross-site Scripting",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-5411",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-5411",
    "datePublished": "2014-09-18T10:00:00",
    "dateReserved": "2014-08-22T00:00:00",
    "dateUpdated": "2025-11-04T22:53:17.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2014-5411

CVE-2014-5411 (GCVE-0-2014-5411)

Tags

Sightings

Nomenclature