CVE-2014-5408 - Vulnerability Details - OpenCVE

Cross-site scripting (XSS) vulnerability in the login script in the Wind Farm Portal on Nordex Control 2 (NC2) SCADA devices 15 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nordex	Nordex Control 2 Scada

Configuration 1 [-]

cpe:2.3:h:nordex:nordex_control_2_scada:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/70851
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-303-01.json
https://ics-cert.us-cert.gov/advisories/ICSA-14-303-01
https://www.cisa.gov/news-events/ics-advisories/icsa-14-303-01

History

Mon, 03 Nov 2025 19:00:00 +0000

Type	Values Removed	Values Added
Title		Nordex NC2 Cross-site Scripting
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-303-01.json https://www.cisa.gov/news-events/ics-advisories/icsa-14-303-01
Metrics	cvssV2_0 `{'score': 4.3, 'vector': 'AV:N/AC:M/Au:N/C:N/I:P/A:N'}`	cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2014-11-05T11:00:00

Updated: 2025-11-03T18:50:14.150Z

Reserved: 2014-08-22T00:00:00

Link: CVE-2014-5408

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-11-05T11:55:06.437

Modified: 2025-11-03T19:15:38.847

Link: CVE-2014-5408

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Nordex Control 2 (NC2) SCADA", "vendor": "Nordex", "versions": [{"lessThanOrEqual": "15", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Darius Freamon"}], "datePublic": "2014-10-30T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Cross-site scripting (XSS) vulnerability in the login script in the Wind Farm Portal on Nordex Control 2 (NC2) SCADA devices 15 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter.</p>"}], "value": "Cross-site scripting (XSS) vulnerability in the login script in the Wind Farm Portal on Nordex Control 2 (NC2) SCADA devices 15 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter."}], "metrics": [{"cvssV2_0": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-11-03T18:50:14.150Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-303-01"}, {"name": "70851", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/70851"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-303-01.json"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Nordex will release a patch for all affected NC2-SCADA versions until\n the end of 2014. The patching of the NC2-SCADA system has to be done by\n Nordex.</p>\n<p>Nordex will upgrade all wind farms with a valid service contract to \nthe patched version of the NC2-SCADA in coordination with normal \nmaintenance operations.</p>\n<p>Owners of Nordex NC2-based wind farms without a valid service \ncontract can order the patch from Nordex by contacting their local \nNordex service organization.</p>\n\n<br>"}], "value": "Nordex will release a patch for all affected NC2-SCADA versions until\n the end of 2014. The patching of the NC2-SCADA system has to be done by\n Nordex.\n\n\nNordex will upgrade all wind farms with a valid service contract to \nthe patched version of the NC2-SCADA in coordination with normal \nmaintenance operations.\n\n\nOwners of Nordex NC2-based wind farms without a valid service \ncontract can order the patch from Nordex by contacting their local \nNordex service organization."}], "source": {"advisory": "ICSA-14-303-01", "discovery": "EXTERNAL"}, "title": "Nordex NC2 Cross-site Scripting", "x_generator": {"engine": "Vulnogram 0.5.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2014-5408", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the login script in the Wind Farm Portal on Nordex Control 2 (NC2) SCADA devices 15 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-303-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-303-01"}, {"name": "70851", "refsource": "BID", "url": "http://www.securityfocus.com/bid/70851"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:41:49.060Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-303-01"}, {"name": "70851", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/70851"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-5408", "datePublished": "2014-11-05T11:00:00", "dateReserved": "2014-08-22T00:00:00", "dateUpdated": "2025-11-03T18:50:14.150Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:nordex:nordex_control_2_scada:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8463267-BF0F-4FE4-80B2-4A8F00315C52", "versionEndIncluding": "15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the login script in the Wind Farm Portal on Nordex Control 2 (NC2) SCADA devices 15 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter."}, {"lang": "es", "value": "Vulnerabilidad de XSS en las secuencias de comandos del inicio de sesi\u00f3n en el portal Wind Farm en los dispositivos SCADA de Nordex Control 2 (NC2) 15 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro username."}], "id": "CVE-2014-5408", "lastModified": "2025-11-03T19:15:38.847", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "ics-cert@hq.dhs.gov", "type": "Secondary", "userInteractionRequired": true}, {"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-11-05T11:55:06.437", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "http://www.securityfocus.com/bid/70851"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-303-01.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-303-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/70851"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-303-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}