#php

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters 'name' and 'id' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

The ABB Cylon Aspect BMS/BAS controller contains multiple instances of hard-coded credentials, including usernames, passwords, and encryption keys embedded in various java classes. This practice poses significant security risks, allowing attackers to gain unauthorized access and compromise the system's integrity.

### Impact Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used. ### Patches Upgrade to version 0.8.1 or higher. ### Workarounds No. ### References Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.

### Summary There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or otherwise render wikitext to XSS other users. > Edit: Only the first XSS can be reproduced in production. ### Details > ✅ Verified and patched in f229cab099c69006e25d4bad3579954e481dc566 https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/TabberTransclude.php#L154 This doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This was caused by d8c3db4e5935476e496d979fb01f775d3d3282e6. ---- > ❌ Invalid as MediaWiki parser sanitizes dangerous HTML https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/2526daa9f8cfdd616c861c8439755cb74a6c8c6e/includes/Tabber.php#L160 The documentation for [`Parser::recursiveTagParse()`](https://doc.wikimedia.org/mediawiki-core/REL1_42/php/classMediaWiki_1_1Par...

# Bypass XSS sanitizer using the javascript protocol and special characters **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) **CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) **Description**: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateRow` **Exploitation conditions**: a user viewing a specially generated Excel file **Mitigation**: additional sanitization of special characters in a string **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Bypass XSS sanitizer using ...

# Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) **CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) **Description**: the HTML page is formed without sanitizing the hyperlink base **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateHTMLHeader` **Exploitation conditions**: a user viewing a specially generated Excel file **Mitigation**: additional sanitization of special characters in a string **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header in ...

# Cross-Site Scripting (XSS) vulnerability in custom properties **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) **CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) **Description**: the HTML page is generated without clearing custom properties **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateMeta` **Exploitation conditions**: a user viewing a specially generated Excel file **Mitigation**: additional sanitization of special characters in a string **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in custom properties in Phpspreadsheet. The following code is written on the ser...

# Unauthorized Reflected XSS in `Currency.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform XSS-type attack **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` file **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the `currency` variable **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Currency.php` file) in Phpspread...

# Unauthorized Reflected XSS in the `Accounting.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a XSS-type attack **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` file **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the currency variable **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Accounting.php` file) ...

# Unauthorized Reflected XSS in the constructor of the `Downloader` class **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a XSS-type attack **Impact**: execution of arbitrary JavaScript code in the browser **Vulnerable component**: the constructor of the `Downloader` class **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the `name` and `type` variables **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the `Downloader` class) in Phpspreadsheet. ...