From gtheall at tenable.com  Mon Nov  3 19:37:55 2014
From: gtheall at tenable.com (George Theall)
Date: Tue, 4 Nov 2014 01:37:55 +0000
Subject: [VIM] Nordex NC2 'username' Parameter Cross Site Scripting
	Vulnerability
Message-ID: <2A9A0F71-E2CF-4D8A-B5AC-E86D2B5B412E@tenable.com>

Himanshu / Dinesh / Narayan / Venkat / Rob : I?d appreciate it if one of you clarify the differences between BIDs 70851 and BID 63460. The earlier BID credits Darius Freemon and corresponds with his advisory posted at http://dariusfreamon.wordpress.com/tag/wind-power/ in October 2013. The more recent one also credits Freemon. I don?t see any references in the info at http://www.securityfocus.com/bid/70851/ but it seems to correspond to ICSA-14-303-01. And that says "This advisory is a follow-up to the alert titled ICS-ALERT-13-304-01 Nordex NC2 ? Cross-Site Scripting Vulnerability that was published October 31, 2013, on the NCCIC/ICS-CERT web site.?

I?m also confused by the discussion in BID 70851, specifically the assertion that "Versions prior to Nordex Control 2 (NC2) SCADA 16 are vulnerable.?. The ICS advisory lists as affected "Nordex Control 2 (NC2) SCADA V16 and prior versions.? ICS-CERT, I believe, coordinates these advisories with vendors. Does SecurityFocus as well? What can explain this discrepancy about whether V16 itself is affected?


George
-- 
theall at tenable.com