CVE-2024-6784 – SSRF Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2024-6784
Server-Side Request Forgery vulnerabilities were found providing a potential for access to unauthorized resources and unintended information disclosure. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 • https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-6516 – Cross Site Scripting XSS
https://notcve.org/view.php?id=CVE-2024-6516
Cross Site Scripting vulnerabilities where found providing a potential for malicious scripts to be injected into a client browser. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 • https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4007 – Hard coded default credential contained in install package
https://notcve.org/view.php?id=CVE-2024-4007
Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login to product instances wrongly configured. ABB Cylon Aspect version 3.07.01 BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet. • https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-1392: Use of Default Credentials •