CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27414 – User interface misrepresentation of critical information in Hitachi ABB Power Grids Ellipse EAM
https://notcve.org/view.php?id=CVE-2021-27414
An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials. Un atacante podría engañar a un usuario de Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versiones anteriores a 9.0.25, incluyéndola, para que visite un sitio web malicioso que haga pasarse por una página de inicio de sesión de la aplicación Ellipse y consiga las credenciales de autenticación • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A7777&LanguageCode=en&DocumentPartId=&Action=Launch https://www.cisa.gov/uscert/ics/advisories/icsa-21-061-01 • CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27416 – Cross-site scripting in Hitachi ABB Power Grids Ellipse EAM
https://notcve.org/view.php?id=CVE-2021-27416
An attacker could exploit this vulnerability in Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 by tricking a user to click on a link containing malicious code that would then be run by the web browser. This can result in the compromise of confidential information, or even the takeover of the user’s session. Un atacante podría explotar esta vulnerabilidad en Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versiones anteriores a 9.0.25, incluyéndola, al engañar a un usuario para que haga clic en un enlace que contenga código malicioso que será ejecutado por el navegador web. Esto puede resultar en el compromiso de información confidencial, o incluso la toma de la sesión del usuario • https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A7777&LanguageCode=en&DocumentPartId=&Action=Launch https://www.cisa.gov/uscert/ics/advisories/icsa-21-061-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16731
https://notcve.org/view.php?id=CVE-2017-16731
An Unprotected Transport of Credentials issue was discovered in ABB Ellipse 8.3 through Ellipse 8.9 released prior to December 2017 (including Ellipse Select). A vulnerability exists in the authentication of Ellipse to LDAP/AD using the LDAP protocol. An attacker could exploit the vulnerability by sniffing local network traffic, allowing the discovery of authentication credentials. Se descubrió un problema de transporte de credenciales sin protección en ABB Ellipse 8.3 hasta la versión 8.9 de Ellipse publicada antes de diciembre de 2017 (incluyendo Ellipse Select). Existe una vulnerabilidad en la autenticación de Ellipse a LDAP/AD utilizando el protocolo LDAP. • https://ics-cert.us-cert.gov/advisories/ICSA-17-353-01 • CWE-522: Insufficiently Protected Credentials CWE-523: Unprotected Transport of Credentials •