#VU26061 Improper Neutralization of HTTP Headers for Scripting Syntax in eSOMS - CVE-2019-19002

Vulnerability identifier: #VU26061

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-19002

CWE-ID: CWE-644

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
eSOMS

Software vendor:
ABB

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists due to the X-XSS-Protection HTTP response header is not set in responses from the web server. This can potentially allow browsers and proxies to cache sensitive information and might increase the risk of cross-site scripting attack. A remote authenticated attacker can gain access to sensitive information.

Install updates from vendor's website.

• https://ics-cert.us-cert.gov/advisories/icsa-20-072-01
• https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&LanguageCode=en&DocumentPartId=&Action=Launch