The ABB Cylon Aspect BMS/BAS controller in versions <=3.08.02 is vulnerable to an authenticated stored cross-site scripting (XSS) flaw. An attacker can upload a malicious .txt file with XSS payload, which when stored on the server, can be served back to users. By injecting client-side scripts, attackers can execute arbitrary code in the context of any user accessing the infected file or related web page (license.php). Bypassing file upload checks requires including the Variant string in the request.
ABB Cylon Aspect 3.07.02 suffers from a weak password policy in userManagement.php, allowing users to set simple or empty passwords and usernames without constraints. This flaw decreases account security, empowering attackers to misuse weak credentials for unauthorized access.
The ABB Cylon Aspect 3.08.02 allows attackers to perform unauthorized actions with administrative privileges by sending malicious HTTP requests to the userManagement.php script. This vulnerability exists due to the lack of proper validation checks on incoming requests, enabling attackers to exploit the system through a logged-in user visiting a malicious website.
The ABB Cylon Aspect 3.08.03 BMS/BAS controller is vulnerable to SQL injection through the key and user parameters, as they are not properly sanitized. This allows attackers to manipulate SQL queries, potentially leading to unauthorized access to the database or execution of arbitrary SQL commands.
The ABB Cylon Aspect version 3.08.02 application is vulnerable to storing sensitive information in clear text within a Cookie. This includes the global parameter, where base64-encoded credentials are stored. By exploiting this vulnerability, a remote attacker can intercept the HTTP Cookie, gaining access to authentication credentials through a man-in-the-middle attack, potentially leading to unauthorized access to user accounts and sensitive data.
The ABB Cylon Aspect BMS/BAS controller before 3.08.02 is vulnerable to authenticated OS command injection. Attackers can upload a specially crafted .db file that contains malicious shell commands. These commands are then executed on the server through the copyFile.sh script, bypassing filename sanitization.
The ABB Cylon Aspect BMS/BAS controller has hard-coded credentials such as usernames, passwords, and encryption keys in various java classes. This vulnerability could be exploited by attackers to gain unauthorized access and compromise system integrity.
The ABB Cylon Aspect BMS/BAS controller through webServerDeviceLabelUpdate.php script allows authenticated attackers to inject arbitrary content via the 'deviceLabel' POST parameter, leading to writing content to a fixed file location (/usr/local/aam/etc/deviceLabel) and potentially causing denial of service.
The ABB Cylon Aspect 3.07.02 product is prone to an authenticated arbitrary file disclosure vulnerability. This vulnerability exists in the 'downloadDb.php' script due to improper validation of user-supplied input in the 'file' GET parameter. Attackers can exploit this issue to read sensitive files by traversing directories.
The ABB BMS/BAS controller in ABB Cylon Aspect 3.07.01 operates with default and hard-coded credentials included in the installation package, making it vulnerable when exposed to the Internet.
Services By CQR