header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

Show More

ABB Cylon Aspect 3.08.03 (CookieDB) SQL Injection

The ABB Cylon Aspect 3.08.03 BMS/BAS controller is vulnerable to SQL injection through the key and user parameters, as they are not properly sanitized. This allows attackers to manipulate SQL queries, potentially leading to unauthorized access to the database or execution of arbitrary SQL commands.

6.1
CVSS
HIGH
SQL Injection
89
CWE
Product Name
ASPECT
Platforms Tested
GNU/Linux, Intel processors, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK, ErgoTech MIX Deployment Server
Affected Version
From:
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware <=3.08.03
To:
2024
Show More

ABB Cylon Aspect 3.08.02 – Remote Code Execution

The ABB Cylon Aspect BMS/BAS controller before 3.08.02 is vulnerable to authenticated OS command injection. Attackers can upload a specially crafted .db file that contains malicious shell commands. These commands are then executed on the server through the copyFile.sh script, bypassing filename sanitization.

6.1
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name
ASPECT
Platforms Tested
GNU/Linux, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK, ErgoTech MIX Deployment Server
Affected Version
From:
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware <=3.08.02
To:
03.08.02
2024
Show More

ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability

The ABB Cylon Aspect BMS/BAS controller is vulnerable to session fixation, allowing an attacker to set a predefined PHPSESSID value. This can be exploited by leveraging an unauthenticated reflected XSS vulnerability in jsonProxy.php to inject a crafted request, forcing the victim to adopt a fixated session.

6.1
CVSS
HIGH
Session Fixation
384
CWE
Product Name
ASPECT
Platforms Tested
GNU/Linux, Intel processors, PHP, AspectFT Automation Application Server, lighttpd, Apache, OpenJDK, ErgoTech MIX Deployment Server
Affected Version
From:
NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02
To:
2024

Recent Exploits:

RDPGuard 9.9.9 – Privilege Escalation

author
Ahmet Ümit BAYRAM
vendor
RDPGuard
severity
6.1
HIGH

YesWiki Unauthenticated Path Traversal

author
Al Baradi Joy
vendor
YesWiki
severity
7.1
HIGH

ABB Cylon Aspect 3.08.02 Stored Cross-Site Scripting Vulnerability

author
Gjoko 'LiquidWorm' Krstic
vendor
ABB Ltd.
severity
6.1
HIGH

Apache ActiveMQ 6.1.6 – Denial of Service (DOS)

author
Abdualhadi khalifa
vendor
Apache
severity
6.1
HIGH

GeoVision GV-ASManager 6.1.1.0 – CSRF

author
Giorgi Dograshvili [DRAGOWN]
vendor
GeoVision
severity
6.1
HIGH

ABB Cylon FLXeon 9.3.4 WebSocket Command Spawning Vulnerability

author
Zero Science Lab
vendor
ABB Ltd.
severity
6.1
HIGH

GestioIP 3.5.7 – Stored Cross-Site Scripting Vulnerability

author
m4xth0r (Maximiliano Belino)
vendor
GestioIP
severity
6.1
HIGH

Cacti 1.2.26 – Remote Code Execution (RCE) (Authenticated)

author
D3Ext
vendor
Cacti
severity
6.1
HIGH

Exclusive Addons for Elementor ≤ 2.6.9 – Authenticated Stored Cross-Site Scripting (XSS)

author
Al Baradi Joy
vendor
exclusiveaddons
severity
5.1
MEDIUM

Kentico Xperience 13.0.178 – Cross Site Scripting (XSS)

author
Alex Messham
vendor
Kentico
severity
6.1
HIGH

Navigation

Suggest Exploit

Services By CQR