Vulnerability identifier: #VU26058

Vulnerability risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18998

CWE-ID: N/A

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Asset Suite
Server applications / SCADA systems

Vendor: ABB

Description

The vulnerability allows a remote user to gain unauthorized access to sensitive information in the application.

The vulnerability exist due to improper access controls used to limit user access to resources. A remote user who knows or discovered the URL for a resource they do not have permissions to, they would be able to access the resource by browsing directly to the URL.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Asset Suite: 9.6

---

External links
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&LanguageCode=en&DocumentPartId=&Action=Launch
http://www.us-cert.gov/ics/advisories/icsa-20-072-02

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.