ABB’s Building Management Blunder: Reflected XSS Vulnerability Exposed!

ABB Cylon Aspect 3.08.03 has an authenticated reflected XSS vulnerability. It’s like giving a toddler a permanent marker and setting them loose on your walls—unexpected and messy. The unsanitized input in GET parameters can execute arbitrary code in your browser, turning your building management system into a surprise art exhibit.

1P
Published: April 15, 2025 7:17 amAdded: April 15, 2025 at 12:39 amAssembled by: The Editor
Pro Dashboard

Hot Take:

ABB Cylon’s Aspect might be the next big thing in energy management, but with its latest vulnerability, it seems like it’s more interested in managing your cookie jar. With a little bit of unsanitized input and a sprinkle of reflected XSS, your browser could be in for a wild ride. Who knew saving energy could be so… electrifying?

Key Points:

  • ABB Cylon’s ASPECT solution faces an authenticated reflected XSS vulnerability.
  • Vulnerability affects specific GET parameters like ‘name’ and ‘id’.
  • Potential for arbitrary HTML/JS code execution in affected user’s browser sessions.
  • Tested on various Linux distributions and processor configurations.
  • Discovered by Gjoko ‘LiquidWorm’ Krstic, advisory ID ZSL-2025-5897.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?