Details of VAR-201501-0145

ID

VAR-201501-0145

CVE

CVE-2015-1179

TITLE

Infinite Automation Systems Mango Automation Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: a65b8918-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00754 // CNNVD: CNNVD-201501-623

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in data_point_details.shtm in Mango Automation 2.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dpid, (2) dpxid, or (3) pid parameter. Infinite Automation Systems Mango Automation is an open source SCADA/HMI software application from Infinite Automation Systems of Australia that provides real-time logging of data from sensors, PLCs, and databases, generating logs and reports, and sending alerts. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Mango Automation 2.4.0 is vulnerable; other versions may also be affected

Trust: 2.61

sources: NVD: CVE-2015-1179 // JVNDB: JVNDB-2015-001236 // CNVD: CNVD-2015-00754 // BID: 72780 // IVD: a65b8918-2351-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: a65b8918-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00754

AFFECTED PRODUCTS

vendor:	infinite automation	model:	mango automation	scope:	lte	version:	2.4.0	Trust: 1.0
vendor:	infinite automation	model:	mango automation	scope:	eq	version:	-	Trust: 0.8
vendor:	infinite automation	model:	mango automation	scope:	lte	version:	2.4.0 and earlier	Trust: 0.8
vendor:	infinite automation	model:	mango automation	scope:	lte	version:	<=2.4.0	Trust: 0.6
vendor:	infinite automation	model:	mango automation	scope:	eq	version:	2.4.0	Trust: 0.6
vendor:	infinite	model:	automation systems mango automation	scope:	eq	version:	2.4.0	Trust: 0.3
vendor:	mango automation	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: a65b8918-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00754 // BID: 72780 // JVNDB: JVNDB-2015-001236 // CNNVD: CNNVD-201501-623 // NVD: CVE-2015-1179

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-1179
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-1179
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-00754
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201501-623
value:	MEDIUM
Trust: 0.6
IVD:	a65b8918-2351-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2015-1179
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-00754
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	a65b8918-2351-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: a65b8918-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00754 // JVNDB: JVNDB-2015-001236 // CNNVD: CNNVD-201501-623 // NVD: CVE-2015-1179

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2015-001236 // NVD: CVE-2015-1179

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201501-623

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201501-623

PATCH

title:	Mango Features (Mango Automation)	url:	http://infiniteautomation.com/index.php/software	Trust: 0.8
title:	Patch for Infinite Automation Systems Mango Automation Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/54648	Trust: 0.6
title:	mango_automation_2.5.0_full_install-2	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=53545	Trust: 0.6

sources: CNVD: CNVD-2015-00754 // JVNDB: JVNDB-2015-001236 // CNNVD: CNNVD-201501-623

EXTERNAL IDS

db:	NVD	id:	CVE-2015-1179	Trust: 4.3
db:	PACKETSTORM	id:	130062	Trust: 2.4
db:	BID	id:	72780	Trust: 0.9
db:	CNVD	id:	CNVD-2015-00754	Trust: 0.8
db:	CNNVD	id:	CNNVD-201501-623	Trust: 0.8
db:	ICS CERT	id:	ICSA-23-115-02	Trust: 0.8
db:	JVN	id:	JVNVU99350303	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-001236	Trust: 0.8
db:	IVD	id:	A65B8918-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: a65b8918-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-00754 // BID: 72780 // JVNDB: JVNDB-2015-001236 // CNNVD: CNNVD-201501-623 // NVD: CVE-2015-1179

REFERENCES

url:	http://packetstormsecurity.com/files/130062/mango-automation-scada-hmi-2.4.0-cross-site-scripting.html	Trust: 2.4
url:	http://www.securityfocus.com/archive/1/archive/1/534530/100/0/threaded	Trust: 1.5
url:	http://www.securityfocus.com/archive/1/534530/100/0/threaded	Trust: 1.0
url:	http://jvn.jp/vu/jvnvu99350303/index.html	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1179	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02	Trust: 0.8
url:	http://infiniteautomation.com/	Trust: 0.3

sources: CNVD: CNVD-2015-00754 // BID: 72780 // JVNDB: JVNDB-2015-001236 // CNNVD: CNNVD-201501-623 // NVD: CVE-2015-1179

CREDITS

Sudhanshu Chauhan

Trust: 0.3

sources: BID: 72780

SOURCES

db:	IVD	id:	a65b8918-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-00754
db:	BID	id:	72780
db:	JVNDB	id:	JVNDB-2015-001236
db:	CNNVD	id:	CNNVD-201501-623
db:	NVD	id:	CVE-2015-1179

LAST UPDATE DATE

2024-11-23T22:08:11.293000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-00754	date:	2015-01-30T00:00:00
db:	BID	id:	72780	date:	2015-01-22T00:00:00
db:	JVNDB	id:	JVNDB-2015-001236	date:	2023-04-27T02:16:00
db:	CNNVD	id:	CNNVD-201501-623	date:	2015-01-27T00:00:00
db:	NVD	id:	CVE-2015-1179	date:	2024-11-21T02:24:50.073

SOURCES RELEASE DATE

db:	IVD	id:	a65b8918-2351-11e6-abef-000c29c66e3d	date:	2015-01-30T00:00:00
db:	CNVD	id:	CNVD-2015-00754	date:	2015-01-29T00:00:00
db:	BID	id:	72780	date:	2015-01-22T00:00:00
db:	JVNDB	id:	JVNDB-2015-001236	date:	2015-01-27T00:00:00
db:	CNNVD	id:	CNNVD-201501-623	date:	2015-01-27T00:00:00
db:	NVD	id:	CVE-2015-1179	date:	2015-01-26T15:59:14.330