Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-13950

Summary
Assigner-ABB
Assigner Org ID-2b718523-d88f-4f37-9bbd-300c20644bf9
Published At-22 May, 2025 | 18:20
Updated At-22 May, 2025 | 18:41
Rejected At-
Credits

Log Injection

Log injection vulnerabilities in ASPECT provide attacker access to inject malicious browser scripts if administrator credentials become compromised.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:ABB
Assigner Org ID:2b718523-d88f-4f37-9bbd-300c20644bf9
Published At:22 May, 2025 | 18:20
Updated At:22 May, 2025 | 18:41
Rejected At:
▼CVE Numbering Authority (CNA)
Log Injection

Log injection vulnerabilities in ASPECT provide attacker access to inject malicious browser scripts if administrator credentials become compromised.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

Affected Products
Vendor
ABBABB
Product
ASPECT-Enterprise
Platforms
  • Linux
Default Status
affected
Versions
Affected
  • From 0 through 3.* (custom)
Vendor
ABBABB
Product
NEXUS Series
Platforms
  • Linux
Default Status
unaffected
Versions
Affected
  • From 0 through 3.* (custom)
Vendor
ABBABB
Product
MATRIX Series
Platforms
  • Linux
Default Status
unaffected
Versions
Affected
  • From 0 through 3.* (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79: Improper Neutralization of Input During Web Page Generation
Type: CWE
CWE ID: CWE-79
Description: CWE-79: Improper Neutralization of Input During Web Page Generation
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
3.16.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
ABB likes to thank Gjoko Krstikj, Zero Science Lab, for reporting the vulnerabilities in responsible disclosure
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&LanguageCode=en&DocumentPartId=pdf&Action=Launch
N/A
Hyperlink: https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&LanguageCode=en&DocumentPartId=pdf&Action=Launch
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cybersecurity@ch.abb.com
Published At:22 May, 2025 | 19:15
Updated At:23 May, 2025 | 15:54

Log injection vulnerabilities in ASPECT provide attacker access to inject malicious browser scripts if administrator credentials become compromised.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.16.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Primarycybersecurity@ch.abb.com
CWE ID: CWE-79
Type: Primary
Source: cybersecurity@ch.abb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&LanguageCode=en&DocumentPartId=pdf&Action=Launchcybersecurity@ch.abb.com
N/A
Hyperlink: https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&LanguageCode=en&DocumentPartId=pdf&Action=Launch
Source: cybersecurity@ch.abb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2024-13949
Matching Score-8
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-8
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-6.9||MEDIUM
EPSS-0.04% / 10.69%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 18:19
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Log Forging

Large content vulnerabilities are present in ASPECT exposing a device to disk overutilization on a system if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

Action-Not Available
Vendor-ABB
Product-ASPECT-EnterpriseMATRIX SeriesNEXUS Series
CWE ID-CWE-117
Improper Output Neutralization for Logs
CVE-2024-13958
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-4.6||MEDIUM
EPSS-0.04% / 8.78%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 18:36
Updated-23 May, 2025 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross Site Scripting

Stored Cross Site Scripting vulnerabilities exist in ASPECT if administrator creden-tials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

Action-Not Available
Vendor-ABB
Product-ASPECT-EnterpriseMATRIX SeriesNEXUS Series
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-6516
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-9.3||CRITICAL
EPSS-1.20% / 78.03%
||
7 Day CHG~0.00%
Published-05 Dec, 2024 | 12:24
Updated-05 Dec, 2024 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Scripting XSS

Cross Site Scripting vulnerabilities where found providing a potential for malicious scripts to be injected into a client browser.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02

Action-Not Available
Vendor-ABB
Product-MATRIX SeriesNEXUS SeriesASPECT-Enterpriseaspect_enterprisenexus_seriesmatrix_series
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-8477
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-8.8||HIGH
EPSS-0.46% / 63.38%
||
7 Day CHG~0.00%
Published-22 Apr, 2020 | 14:46
Updated-04 Aug, 2024 | 10:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABB System 800xA Information Manager Remote Code Execution

The installations for ABB System 800xA Information Manager versions 5.1, 6.0 to 6.0.3.2 and 6.1 wrongly contain an auxiliary component. An attacker is able to use this for an XSS-like attack to an authenticated local user, which might lead to execution of arbitrary code.

Action-Not Available
Vendor-ABB
Product-800xa_information_managerSystem 800xA Information Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-489
Active Debug Code
CVE-2019-19095
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.01%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 19:47
Updated-05 Aug, 2024 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABB eSOMS: Stored XSS vulnerability

Lack of adequate input/output validation for ABB eSOMS versions 4.0 to 6.0.2 might allow an attacker to attack such as stored cross-site scripting by storing malicious content in the database.

Action-Not Available
Vendor-Hitachi Energy Ltd.ABB
Product-esomseSOMS
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19003
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-5.3||MEDIUM
EPSS-0.37% / 58.07%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 19:46
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABB eSOMS: HTTPOnly flag not set

For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. This can allow Javascript to access the cookie contents, which in turn might enable Cross Site Scripting.

Action-Not Available
Vendor-Hitachi Energy Ltd.ABB
Product-esomseSOMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-16
Not Available
CVE-2019-19002
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-6
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-6.3||MEDIUM
EPSS-0.28% / 50.61%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 19:50
Updated-05 Aug, 2024 | 02:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ABB eSOMS X-XSS-Protection not enabled

For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting.

Action-Not Available
Vendor-Hitachi Energy Ltd.ABB
Product-esomseSOMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-16
Not Available
Details not found