CVE-2014-5412 - Vulnerability Details - OpenCVE

Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Aveva	Clearscada
Schneider-electric	Scada Expert Clearscada

Configuration 1 [-]

OR	cpe:2.3:a:aveva:clearscada:2010:r3::::::
	cpe:2.3:a:aveva:clearscada:2010:r3.1::::::
	cpe:2.3:a:aveva:clearscada:2013:r1::::::
	cpe:2.3:a:aveva:clearscada:2013:r1.1::::::
	cpe:2.3:a:aveva:clearscada:2013:r1.1a::::::
	cpe:2.3:a:aveva:clearscada:2013:r1.2::::::
	cpe:2.3:a:aveva:clearscada:2013:r2::::::
	cpe:2.3:a:schneider-electric:scada_expert_clearscada:2013:r2.1::::::
	cpe:2.3:a:schneider-electric:scada_expert_clearscada:2014:r1::::::

No data.

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-259-01a.json
https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01
https://www.cisa.gov/news-events/ics-advisories/icsa-14-259-01a

History

Tue, 04 Nov 2025 23:00:00 +0000

Type	Values Removed	Values Added
Title		Schneider Electric SCADA Expert ClearSCADA Improper Authentication
Weaknesses		CWE-287
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-259-01a.json https://www.cisa.gov/news-events/ics-advisories/icsa-14-259-01a
Metrics	cvssV2_0 `{'score': 5.0, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N'}`	cvssV2_0 `{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2014-09-18T10:00:00

Updated: 2025-11-04T22:56:12.970Z

Reserved: 2014-08-22T00:00:00

Link: CVE-2014-5412

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-09-18T10:55:11.687

Modified: 2025-11-04T23:15:33.393

Link: CVE-2014-5412

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ClearSCADA", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "2010 R3 (build 72.4560)"}, {"status": "affected", "version": "2010 R3.1 (build 72.4644)"}, {"status": "unaffected", "version": "2010 R3.2"}]}, {"defaultStatus": "unaffected", "product": "SCADA Expert ClearSCADA", "vendor": "Schneider Electric", "versions": [{"status": "affected", "version": "2013 R1 (build 73.4729)"}, {"status": "affected", "version": "2013 R1.1 (build 73.4832)"}, {"status": "affected", "version": "2013 R1.1a (build 73.4903)"}, {"status": "affected", "version": "2013 R1.2 (build 73.4955)"}, {"status": "affected", "version": "2013 R2 (build 74.5094)"}, {"status": "affected", "version": "2013 R2.1 (build 74.5192)"}, {"status": "affected", "version": "2014 R1 (build 75.5210)"}, {"status": "unaffected", "version": "2014 R1.1"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Aditya Sood"}], "datePublic": "2014-09-16T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account."}], "value": "Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account."}], "metrics": [{"cvssV2_0": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-11-04T22:56:12.970Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-259-01a"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-259-01a.json"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Schneider Electric advises all ClearSCADA users to take steps to \nsecure the interfaces to the ClearSCADA system. The ClearSCADA database \nsecurity configuration should be reviewed and updated to limit all \nsystem access to authorized users only. The access permissions of \nexisting users should be reduced to only those required by their role \n(e.g., removing any higher level System Administration privileges from \nOperations or Engineering users), and specific accounts should be \ncreated with appropriate permissions for performing System \nAdministration tasks.</p>\n<p>Existing ClearSCADA customers using WebX can protect their system \nfrom cross-site scripting attacks by disabling the \u201cAllow database \nshutdown via WebX\u201d option within the ClearSCADA Server Configuration \nutility.</p>\n<p>Existing ClearSCADA customers should take measures to ensure their \nsystem does not grant any system access until users have supplied a \nvalid username and password.</p>\n<p>Schneider Electric has corrected the default user security \npermissions; however, upgrading an existing vulnerable installation to a\n new version will not affect existing configured database security \npermissions. Therefore, the measures suggested here are strongly \nrecommended for all users.</p>\n<p>Schneider Electric has corrected these vulnerabilities in the following service packs:</p>\n<ul>\n<li>ClearSCADA 2010 R3.2, Released October 2014, and</li>\n<li>SCADA Expert ClearSCADA 2014 R1.1, Released October 2014.</li>\n</ul>\n<p>If asset owners wish to upgrade to a new ClearSCADA Service Pack, \nplease contact the local Schneider Electric office for the latest \nsoftware version for ClearSCADA; alternatively, these new versions are \navailable for direct download from the Schneider Electric web site. To \nupdate their license (not required when upgrading to a service pack of \nthe same version), asset owners are required to complete and submit an \nonline form, which is available here:</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update+Request+Form\">http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update...</a></p>\n<p>New Service packs for ClearSCADA are available for download here:</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"http://resourcecenter.controlmicrosystems.com/display/CS/SCADA+Expert+ClearSCADA+Support\">http://resourcecenter.controlmicrosystems.com/display/CS/SCADA+Expert+ClearSCADA+Support</a></p>\n<p>General instructions on how to upgrade the ClearSCADA license (if required) are available here:</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"http://resourcecenter.controlmicrosystems.com/display/CS/Updating+Your+ClearSCADA+License\">http://resourcecenter.controlmicrosystems.com/display/CS/Updating+Your+ClearSCADA+License</a></p>\n\n<br>"}], "value": "Schneider Electric advises all ClearSCADA users to take steps to \nsecure the interfaces to the ClearSCADA system. The ClearSCADA database \nsecurity configuration should be reviewed and updated to limit all \nsystem access to authorized users only. The access permissions of \nexisting users should be reduced to only those required by their role \n(e.g., removing any higher level System Administration privileges from \nOperations or Engineering users), and specific accounts should be \ncreated with appropriate permissions for performing System \nAdministration tasks.\n\n\nExisting ClearSCADA customers using WebX can protect their system \nfrom cross-site scripting attacks by disabling the \u201cAllow database \nshutdown via WebX\u201d option within the ClearSCADA Server Configuration \nutility.\n\n\nExisting ClearSCADA customers should take measures to ensure their \nsystem does not grant any system access until users have supplied a \nvalid username and password.\n\n\nSchneider Electric has corrected the default user security \npermissions; however, upgrading an existing vulnerable installation to a\n new version will not affect existing configured database security \npermissions. Therefore, the measures suggested here are strongly \nrecommended for all users.\n\n\nSchneider Electric has corrected these vulnerabilities in the following service packs:\n\n\n\n * ClearSCADA 2010 R3.2, Released October 2014, and\n\n * SCADA Expert ClearSCADA 2014 R1.1, Released October 2014.\n\n\n\n\nIf asset owners wish to upgrade to a new ClearSCADA Service Pack, \nplease contact the local Schneider Electric office for the latest \nsoftware version for ClearSCADA; alternatively, these new versions are \navailable for direct download from the Schneider Electric web site. To \nupdate their license (not required when upgrading to a service pack of \nthe same version), asset owners are required to complete and submit an \nonline form, which is available here:\n\n\n http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update... http://resourcecenter.controlmicrosystems.com/display/CS/StruxureWare+SCADA+Expert+ClearSCADA+Update+Request+Form \n\n\nNew Service packs for ClearSCADA are available for download here:\n\n\n http://resourcecenter.controlmicrosystems.com/display/CS/SCADA+Expert+ClearSCADA+Support \n\n\nGeneral instructions on how to upgrade the ClearSCADA license (if required) are available here:\n\n\n http://resourcecenter.controlmicrosystems.com/display/CS/Updating+Your+ClearSCADA+License"}], "source": {"advisory": "ICSA-14-259-01", "discovery": "EXTERNAL"}, "title": "Schneider Electric SCADA Expert ClearSCADA Improper Authentication", "x_generator": {"engine": "Vulnogram 0.5.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2014-5411", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:41:49.067Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-5412", "datePublished": "2014-09-18T10:00:00", "dateReserved": "2014-08-22T00:00:00", "dateUpdated": "2025-11-04T22:56:12.970Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aveva:clearscada:2010:r3:*:*:*:*:*:*", "matchCriteriaId": "AAD213FA-E444-4DDB-B593-CC79C45D92F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:clearscada:2010:r3.1:*:*:*:*:*:*", "matchCriteriaId": "E4FBC203-019A-4DE0-97ED-F0A4872B4E55", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:clearscada:2013:r1:*:*:*:*:*:*", "matchCriteriaId": "0733DE5C-D168-4A2B-996F-E2BE671FB4C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:clearscada:2013:r1.1:*:*:*:*:*:*", "matchCriteriaId": "9A22FFBF-1EAF-478B-A8F4-5EDBDCAE8F41", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:clearscada:2013:r1.1a:*:*:*:*:*:*", "matchCriteriaId": "64BF21B8-F98E-46C5-A1AC-FE7DBD45D80F", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:clearscada:2013:r1.2:*:*:*:*:*:*", "matchCriteriaId": "A2115F6A-1689-4121-99FA-5821C78BA394", "vulnerable": true}, {"criteria": "cpe:2.3:a:aveva:clearscada:2013:r2:*:*:*:*:*:*", "matchCriteriaId": "D2F240E9-4C6F-4257-9F20-456B736569CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:scada_expert_clearscada:2013:r2.1:*:*:*:*:*:*", "matchCriteriaId": "D2B6A429-6195-4213-A851-AF95A9C187F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:schneider-electric:scada_expert_clearscada:2014:r1:*:*:*:*:*:*", "matchCriteriaId": "84521A6D-AB6D-4518-A642-9BA4400DC599", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account."}, {"lang": "es", "value": "Schneider Electric StruxureWare SCADA Expert ClearSCADA versiones desde 2010 R3 hasta 2014 R1 permite a atacantes remotos leer registros de la base de datos a trav\u00e9s del acceso con la cuenta de invitado."}], "id": "CVE-2014-5412", "lastModified": "2025-11-04T23:15:33.393", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "ics-cert@hq.dhs.gov", "type": "Secondary", "userInteractionRequired": false}, {"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-09-18T10:55:11.687", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-259-01a.json"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-259-01a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-259-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Secondary"}]}