#js

A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However, exploitation is limited to specific conditions due to the server's CORS configuration (Access-Control-Allow-Origin: * without Access-Control-Allow-Credentials: true). The vulnerability can only be exploited under the following scenarios: Same Domain: The attacker must host the malicious page on the same domain as the target server. Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between the user and the server (e.g., on an unsecured network). Local Area Network (LAN) Access: The attacker must have access to the same network as the target server. Subdomains: The attacker can host the malicious page on a subdomain if the server allows it. Misconfigured CORS: The server’s CORS policy is misconfigured to allow certain origins or headers. Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute JavaScript in the context of the target origin.

**According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability?** An authorized attacker with standard user privileges could place a malicious file on the machine running Visual Studio Code and then wait for the privileged victim to use certain JavaScript debugger functionality.

**Why is this HackerOne CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Node.js software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code, an attacker can steal the session of the victim by injecting malicious payload, causing High impact on confidentiality and integrity of the application.

### Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. ### Details esbuild sets `Access-Control-Allow-Origin: *` header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response. https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121 https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363 **Attack scenario**: 1. The attacker serves a malicious web page (`http://malicious.example.com`). 1. The user accesses the malicious web page. 1. The attacker sends a `fetch('http://127.0.0.1:8000/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above. 1. The attacker gets the content of `http://127.0.0.1:8000/main.js`. In this sce...

The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'content' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

The ABB Cylon Aspect BMS/BAS controller is vulnerable to session fixation, allowing an attacker to set a predefined PHPSESSID value. An attacker can leverage an unauthenticated reflected XSS vulnerability in jsonProxy.php to inject a crafted request, forcing the victim to adopt a fixated session.

The ABB Cylon FLXeon BACnet controller is vulnerable to an authenticated JSON flooding attack, leading to uncontrolled resource consumption and a denial-of-service (DoS) condition. The /api/serialConfig endpoint allows an authenticated attacker to abuse an unrestricted loop to create a large number of JSON objects by sending specially crafted requests through the ports JSON array. This results in excessive memory and CPU usage, causing resource exhaustion and potential service failure.

The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact.

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.