SB2022033013 - Multiple vulnerabilities in Hitachi Energy LinkOne WebView

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2021-40337)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Use of Password System for Primary Authentication (CVE-ID: CVE-2021-40338)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a misconfiguration in the web server configuration file. A remote attacker can gain unauthorized access to sensitive information on the system.

3) Configuration (CVE-ID: CVE-2021-40339)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the LinkOne application lacks HTTP Headers. A remote attacker can gain unauthorized access to sensitive information on the system.

4) Information disclosure (CVE-ID: CVE-2021-40340)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to misconfiguration in the ASP server causes server and ASP.net information to be shown. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://search.abb.com/library/Download.aspx?DocumentID=8DBD000079&LanguageCode=en&DocumentPartId=&Action=Launch