[VIM] Nordex NC2 'username' Parameter Cross Site Scripting Vulnerability
George Theall
gtheall at tenable.com
Mon Nov 3 19:37:55 CST 2014
Himanshu / Dinesh / Narayan / Venkat / Rob : I’d appreciate it if one of you clarify the differences between BIDs 70851 and BID 63460. The earlier BID credits Darius Freemon and corresponds with his advisory posted at http://dariusfreamon.wordpress.com/tag/wind-power/ in October 2013. The more recent one also credits Freemon. I don’t see any references in the info at http://www.securityfocus.com/bid/70851/ but it seems to correspond to ICSA-14-303-01. And that says "This advisory is a follow-up to the alert titled ICS-ALERT-13-304-01 Nordex NC2 – Cross-Site Scripting Vulnerability that was published October 31, 2013, on the NCCIC/ICS-CERT web site.”
I’m also confused by the discussion in BID 70851, specifically the assertion that "Versions prior to Nordex Control 2 (NC2) SCADA 16 are vulnerable.”. The ICS advisory lists as affected "Nordex Control 2 (NC2) SCADA V16 and prior versions.” ICS-CERT, I believe, coordinates these advisories with vendors. Does SecurityFocus as well? What can explain this discrepancy about whether V16 itself is affected?
George
--
theall at tenable.com
More information about the VIM
mailing list