CVE-2014-5398
Invensys Wonderware Information Server - Improper Input Validation
Title source: ruleDescription
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to read arbitrary files or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
References (3)
Core 3
Core References
Various Sources
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-238-02.json
US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-14-238-02
Third Party Advisory, US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-14-238-02
Scores
EPSS
0.0031
EPSS Percentile
54.1%
Details
CWE
CWE-20
Status
published
Products (8)
invensys/wonderware_information_server
4.0 sp1 (2 CPE variants)
invensys/wonderware_information_server
4.5
invensys/wonderware_information_server
5.0
invensys/wonderware_information_server
5.5
Schneider Electric/Wonderware Information Server Portal
4.0 SP1
Schneider Electric/Wonderware Information Server Portal
4.5
Schneider Electric/Wonderware Information Server Portal
5.0
Schneider Electric/Wonderware Information Server Portal
5.5
Published
Aug 28, 2014
Tracked Since
Feb 18, 2026