CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19094 – ABB eSOMS: SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2019-19094
02 Apr 2020 — Lack of input checks for SQL queries in ABB eSOMS versions 3.9 to 6.0.3 might allow an attacker SQL injection attacks against the backend database. Una falta de comprobaciones de entrada para consultas SQL en ABB eSOMS versiones 3.9 hasta 6.0.3, podría permitir a un atacante ataques de inyección SQL contra la base de datos del back-end. • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19093 – ABB eSOMS: Password complexity issue
https://notcve.org/view.php?id=CVE-2019-19093
02 Apr 2020 — eSOMS versions 4.0 to 6.0.3 do not enforce password complexity settings, potentially resulting in lower access security due to insecure user passwords. eSOMS versiones 4.0 hasta 6.0.3, no aplica la configuración de la complejidad de la contraseña, resultando potencialmente en una menor seguridad de acceso debido a contraseñas de usuario no seguras. • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-521: Weak Password Requirements •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19092 – ABB eSOMS: Viewstate without MAC Signature
https://notcve.org/view.php?id=CVE-2019-19092
02 Apr 2020 — ABB eSOMS versions 4.0 to 6.0.3 use ASP.NET Viewstate without Message Authentication Code (MAC). Alterations to Viewstate might thus not be noticed. ABB eSOMS versiones 4.0 hasta 6.0.3, usan ASP.NET Viewstate sin el Message Authentication Code (MAC). Por lo tanto, las alteraciones en Viewstate podrían así no ser notadas. • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-16: Configuration CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19091 – ABB eSOMS: HTTP response information leakage
https://notcve.org/view.php?id=CVE-2019-19091
02 Apr 2020 — For ABB eSOMS versions 4.0 to 6.0.3, HTTPS responses contain comments with sensitive information about the application. An attacker might use this detail information to specifically craft the attack. Para ABB eSOMS versiones 4.0 hasta 6.0.3, las respuestas HTTPS contienen comentarios con información confidencial sobre la aplicación. Un atacante podría utilizar esta información detallada para diseñar el ataque específicamente. • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-16: Configuration CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-202: Exposure of Sensitive Information Through Data Queries •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19090 – ABB eSOMS: Secure Flag not set
https://notcve.org/view.php?id=CVE-2019-19090
02 Apr 2020 — For ABB eSOMS versions 4.0 to 6.0.2, the Secure Flag is not set in the HTTP response header. Unencrypted connections might access the cookie information, thus making it susceptible to eavesdropping. Para ABB eSOMS versiones 4.0 hasta 6.0.2, el Secure Flag no se establece en el encabezado de respuesta HTTP. Las conexiones no cifradas pueden acceder a la información de la cookie, haciéndolas así susceptibles a espionaje. • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-16: Configuration CWE-311: Missing Encryption of Sensitive Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19089 – eSOMS: X-Content-Type-Options Header Missing
https://notcve.org/view.php?id=CVE-2019-19089
02 Apr 2020 — For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text interpreted as JavaScript. Para ABB eSOMS versiones 4.0 hasta 6.0.3, el Encabezado X-Content-Type-Options esta faltando en la respuesta HTTP, causando potencialmente que el cuerpo de la respuesta sea interprete y despl... • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-16: Configuration CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-436: Interpretation Conflict •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19003 – ABB eSOMS: HTTPOnly flag not set
https://notcve.org/view.php?id=CVE-2019-19003
02 Apr 2020 — For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting. Para ABB eSOMS versiones 4.0 hasta 6.0.2, el flag HTTPOnly no es configurado. Esto puede permitir que un Javascript acceda al contenido de la cookie, lo que a su vez podría habilitar un ataque de tipo Cross Site Scripting. • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-16: Configuration CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2019-18998 – Asset Suite Direct Object Reference Access
https://notcve.org/view.php?id=CVE-2019-18998
17 Feb 2020 — Insufficient access control in the web interface of ABB Asset Suite versions 9.0 to 9.3, 9.4 prior to 9.4.2.6, 9.5 prior to 9.5.3.2 and 9.6.0 enables full access to directly referenced objects. An attacker with knowledge of a resource's URL can access the resource directly. Un control de acceso insuficiente en la interfaz web de ABB Asset Suite versiones 9.0 hasta 9.3, versiones 9.4 anteriores a 9.4.2.6, versiones 9.5 anteriores a 9.5.3.2 y versión 9.6.0, permite el acceso completo a objetos referenciados d... • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-284: Improper Access Control CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2019-18253
https://notcve.org/view.php?id=CVE-2019-18253
27 Nov 2019 — An attacker could use specially crafted paths in a specific request to read or delete files from Relion 670 Series (versions 1p1r26, 1.2.3.17, 2.0.0.10, RES670 2.0.0.4, 2.1.0.1, and prior) outside the intended directory. Un atacante podría utilizar rutas especialmente diseñadas en una petición específica para leer o eliminar archivos desde Relion 670 Series (versiones 1p1r26, 1.2.3.17, 2.0.0.10, RES670 2.0.0.4, 2.1.0.1 y anteriores) fuera del directorio previsto. • https://www.us-cert.gov/ics/advisories/icsa-19-330-01 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2019-18247
https://notcve.org/view.php?id=CVE-2019-18247
27 Nov 2019 — An attacker may use a specially crafted message to force Relion 650 series (versions 1.3.0.5 and prior) or Relion 670 series (versions 1.2.3.18, 2.0.0.11, 2.1.0.1 and prior) to reboot, which could cause a denial of service. Un atacante puede utilizar un mensaje especialmente diseñado para forzar a Relion 650 series (versiones 1.3.0.5 y anteriores) o Relion 670 series (versiones 1.2.3.18, 2.0.0.11, 2.1.0.1 y anteriores) a reiniciarse, lo que podría causar una denegación de servicio. • https://www.us-cert.gov/ics/advisories/icsa-19-330-02 • CWE-20: Improper Input Validation •