XSS

15 Jun 2017

[ICS] Trihedral VTScada Multiple Vulnerabilities

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01
Vendor: Trihedral
Equipment: VTScada
Vulnerability: Resource Consumption, Cross-Site Scripting, Information Exposure
AFFECTED PRODUCTS
The following versions of VTScada, an HMI SCADA software, are affected:
VTScada Versions prior to 11.2.26 Read on for details.

Read more

05 Jul 2016

CIMA DocuClass Enterprise Content Management – Multiple Vulnerabilities

On a recent pentest, I came across CIMA DocuClass Enterprise Content Management application. I found multiple security vulnerabilities which can lead to unauthorized access to stored documents, access to underlying database, and code execution on the server via SQL Injection.

There has been no response from vendor as expected.

Read on for poc.

Read more

24 Dec 2015

[ICS] XZERES 442SR Wind Turbine XSS Vulnerability

[ICS] XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability

AFFECTED PRODUCTS
XZERES is a US-based energy company that maintains offices in several countries around the world, including the UK, Italy, Japan, Vietnam, Philippines, and Myanmar.

The affected product, 442SR Wind Turbine, has a web-based interface system. According to XZERES, the 442SR is deployed across the Energy sector. XZERES estimates that this product is used worldwide.

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01

CVE-ID
CVE-2016-2287

IMPACT
Successful exploitation of this vulnerability could allow the injection of malicious script. This exploit can cause a loss of power for all attached systems.

Read on

Read more

24 Dec 2015

[ICS] eWON sa Industrial router – Multiple Vulnerabilities

Reported multiple vulnerabilities in eWON sa Industrial router. Response from eWON was not so surprisingly full of ignorance.

AFFECTED PRODUCTS
The following eWON router firmware versions are affected:
All eWON firmware versions prior to 10.1s0
 
ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01
 
CVE-IDs
CVE-2015-7924
CVE-2015-7925
CVE-2015-7926
CVE-2015-7927
CVE-2015-7928
CVE-2015-7929

Read on.

Read more