CVSS: 10.0EPSS: 1%CPEs: 3EXPL: 6CVE-2024-48839 – Remote Code Execution, RCE
https://notcve.org/view.php?id=CVE-2024-48839
05 Dec 2024 — Improper Input Validation vulnerability allows Remote Code Execution. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 ABB Cylon Aspect version 3.08.02 is vulnerable to code execution and sudo misconfiguration flaws. An authenticated remote code execution vulnerability in the firmware update mechanism allows an attacker with valid credentials to escalate privileges and execute commands as root. The process involves uploading a crafted .aam file through fileS... • https://packetstorm.news/files/id/183448 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-11316 – Filesize Check
https://notcve.org/view.php?id=CVE-2024-11316
05 Dec 2024 — Fileszie Check vulnerabilities allow a malicious user to bypass size limits or overload to the product. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 • https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 1CVE-2024-6784 – SSRF Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2024-6784
05 Dec 2024 — Server-Side Request Forgery vulnerabilities were found providing a potential for access to unauthorized resources and unintended information disclosure. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 • https://packetstorm.news/files/id/183078 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 4CVE-2024-6516 – Cross Site Scripting XSS
https://notcve.org/view.php?id=CVE-2024-6516
05 Dec 2024 — Cross Site Scripting vulnerabilities where found providing a potential for malicious scripts to be injected into a client browser. Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 ABB Cylon Aspect version 3.08.02 suffers from an authenticated blind command injection vulnerability. Input passed to several POST parameters is not properly sanitized when writing files, allowing attackers to execute arbitrary shell commands on the system. There is also an off-by-... • https://packetstorm.news/files/id/183448 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 1CVE-2024-4007 – Hard coded default credential contained in install package
https://notcve.org/view.php?id=CVE-2024-4007
01 Jul 2024 — Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login to product instances wrongly configured. ABB Cylon Aspect version 3.07.01 BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet. • https://packetstorm.news/files/id/181853 • CWE-1392: Use of Default Credentials •