Details of VAR-201903-0624

ID

VAR-201903-0624

CVE

CVE-2015-6462

TITLE

Schneider Electric Modicon PLC Cross-Site Scripting Vulnerability

Trust: 0.8

sources: IVD: 7c549830-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05939

DESCRIPTION

Reflected Cross-Site Scripting (nonpersistent) allows an attacker to craft a specific URL, which contains Java script that will be executed on the Schneider Electric Modicon BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, or BMXP342030H PLC client browser. plural Schneider Electric Modicon The product contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Modicon PLC is a programmable controller product for the dam, energy, food agriculture and other industries. Multiple Schneider Electric Modicon M340 PLC products are prone to an unspecified cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Schneider Electric Modicon PLC BMXNOC0401 etc. are programmable controllers of French Schneider Electric (Schneider Electric). The following products are affected: Schneider Electric Modicon PLC BMXNOC0401, BMXNOE0100, BMXNOE0110, BMXNOE0110H, BMXNOR0200H, BMXP342020, BMXP342020H, BMXP342030, BMXP3420302, BMXP3420302H, BMXP3420303030

Trust: 2.7

sources: NVD: CVE-2015-6462 // JVNDB: JVNDB-2015-008241 // CNVD: CNVD-2015-05939 // BID: 76613 // IVD: 7c549830-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-84423

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 7c549830-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05939

AFFECTED PRODUCTS

vendor:	schneider electric	model:	modicon m340 bmxp3420302h	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342030h	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	bmxnoe0100	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	bmxnoe0110	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	bmxnoc0401	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	bmxnoe0110h	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	bmxnor0200h	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp3420302	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342030	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342020h	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	modicon m340 bmxp342020	scope:	eq	version:	-	Trust: 1.0
vendor:	schneider electric	model:	bmxnoc0401	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxnoe0100	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxnoe0110	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxnoe0110h	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxnor0200h	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp342020	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp342020h	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp342030	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp3420302	scope:	-	version:	-	Trust: 0.8
vendor:	schneider electric	model:	bmxp3420302h	scope:	-	version:	-	Trust: 0.8
vendor:	schneider	model:	electric modicon plc	scope:	-	version:	-	Trust: 0.6
vendor:	schneider electric	model:	modicon m340 bmxp342030h	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxp3420302h	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxp3420302	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxp342030	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxp342020h	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxp342020	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxnor0200h	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxnoe0110h	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxnoe0110	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxnoe0100	scope:	-	version:	-	Trust: 0.3
vendor:	schneider electric	model:	modicon m340 bmxnoc0401	scope:	-	version:	-	Trust: 0.3
vendor:	bmxnoc0401	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxp3420302h	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxp342030h	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxnoe0100	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxnoe0110	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxnoe0110h	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxnor0200h	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxp342020	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxp342020h	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxp342030	model:	-	scope:	eq	version:	-	Trust: 0.2
vendor:	bmxp3420302	model:	-	scope:	eq	version:	-	Trust: 0.2

sources: IVD: 7c549830-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05939 // BID: 76613 // JVNDB: JVNDB-2015-008241 // NVD: CVE-2015-6462

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6462
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-6462
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-05939
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201509-443
value:	MEDIUM
Trust: 0.6
IVD:	7c549830-2351-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-84423
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2015-6462
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-05939
severity:	LOW
baseScore:	3.2
vectorString:	AV:L/AC:L/AU:S/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7c549830-2351-11e6-abef-000c29c66e3d
severity:	LOW
baseScore:	3.2
vectorString:	AV:L/AC:L/AU:S/C:P/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-84423
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-6462
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: IVD: 7c549830-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05939 // VULHUB: VHN-84423 // JVNDB: JVNDB-2015-008241 // CNNVD: CNNVD-201509-443 // NVD: CVE-2015-6462

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-84423 // JVNDB: JVNDB-2015-008241 // NVD: CVE-2015-6462

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-443

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201509-443

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-008241

PATCH

title:	トップページ	url:	https://www.se.com/jp/ja/	Trust: 0.8
title:	Patch for Schneider Electric Modicon PLC Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/63775	Trust: 0.6

sources: CNVD: CNVD-2015-05939 // JVNDB: JVNDB-2015-008241

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6462	Trust: 3.6
db:	ICS CERT	id:	ICSA-15-246-02	Trust: 3.4
db:	CNNVD	id:	CNNVD-201509-443	Trust: 0.9
db:	CNVD	id:	CNVD-2015-05939	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-008241	Trust: 0.8
db:	SCHNEIDER	id:	SEVD-2015-233-01	Trust: 0.6
db:	BID	id:	76613	Trust: 0.4
db:	IVD	id:	7C549830-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-84423	Trust: 0.1

sources: IVD: 7c549830-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05939 // VULHUB: VHN-84423 // BID: 76613 // JVNDB: JVNDB-2015-008241 // CNNVD: CNNVD-201509-443 // NVD: CVE-2015-6462

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-246-02	Trust: 3.4
url:	https://nvd.nist.gov/vuln/detail/cve-2015-6462	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6462	Trust: 0.8
url:	http://download.schneider-electric.com/files?p_file_id=1039693246&p_file_name=sevd-2015-233-01.pdf	Trust: 0.6
url:	http://www.schneider-electric.com/en/product-range/1468-modicon-m340/	Trust: 0.3

sources: CNVD: CNVD-2015-05939 // VULHUB: VHN-84423 // BID: 76613 // JVNDB: JVNDB-2015-008241 // CNNVD: CNNVD-201509-443 // NVD: CVE-2015-6462

CREDITS

Aditya K. Sood and Juan Francisco Bolivar

Trust: 0.9

sources: BID: 76613 // CNNVD: CNNVD-201509-443

SOURCES

db:	IVD	id:	7c549830-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-05939
db:	VULHUB	id:	VHN-84423
db:	BID	id:	76613
db:	JVNDB	id:	JVNDB-2015-008241
db:	CNNVD	id:	CNNVD-201509-443
db:	NVD	id:	CVE-2015-6462

LAST UPDATE DATE

2024-11-23T22:30:07.838000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-05939	date:	2015-09-11T00:00:00
db:	VULHUB	id:	VHN-84423	date:	2019-10-09T00:00:00
db:	BID	id:	76613	date:	2015-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-008241	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201509-443	date:	2019-10-10T00:00:00
db:	NVD	id:	CVE-2015-6462	date:	2024-11-21T02:35:00.833

SOURCES RELEASE DATE

db:	IVD	id:	7c549830-2351-11e6-abef-000c29c66e3d	date:	2015-09-11T00:00:00
db:	CNVD	id:	CNVD-2015-05939	date:	2015-09-11T00:00:00
db:	VULHUB	id:	VHN-84423	date:	2019-03-21T00:00:00
db:	BID	id:	76613	date:	2015-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-008241	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201509-443	date:	2015-09-23T00:00:00
db:	NVD	id:	CVE-2015-6462	date:	2019-03-21T19:29:00.317