ABB Cylon Aspect 3.08.03 (MapServicesHandler) Authenticated Reflected XSS

Title: ABB Cylon Aspect 3.08.03 (MapServicesHandler) Authenticated Reflected XSS
Advisory ID: ZSL-2025-5897
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (4/5)
Release Date: 06.01.2025

Summary

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

Description

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters ‘name’ and ‘id’ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site.

Vendor

ABB Ltd. - https://www.global.abb

Affected Version

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03

Tested On

GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel® Atom™ Processor E3930 @ 1.30GHz
Intel® Xeon® Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0

Vendor Status

[21.04.2024] Vulnerability discovered.
[22.04.2024] Vendor contacted.
[22.04.2024] Vendor responds.
[02.05.2024] Working with the vendor.
[06.01.2025] Public security advisory released.

PoC

abb_aspect_xss6.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

N/A

Changelog

[06.01.2025] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]