Security Advisory – Critical XSS Vulnerability in ABB WebPro SNMP Card

Overview

ABB has identified a critical cross-site scripting (XSS) vulnerability (CVE ID: ABBVREP0138) in their WebPro SNMP card PowerValue, including the UL variant, with versions 1.1.8.j and earlier. Affected users should update to version 1.1.8.k to mitigate the issue.

Vulnerability Details

  • Impact: An attacker with administrative privileges could inject and execute malicious scripts in user browsers, potentially taking control of the SNMP card and inserting arbitrary code. This may lead to denial of service by sending shutdown commands to the UPS.
  • Severity: The vulnerability has a CVSS v3.1 base score of 9.1 (Critical) and a temporal score of 8.2 (High).
  • Cause: The vulnerability is due to the unvalidated “name” parameter in the get request method, which is immediately returned by the web application.

Mitigation

  • Update: Users should apply the SNMP Web Pro v1.1.8.k update immediately.
  • Contact: For more information, contact ABB Digital Service Support at ch.ups.digital@abb.com.

General Security Recommendations

  • Isolate networks behind firewalls.
  • Install physical access controls.
  • Ensure programming software is only connected to intended networks.
  • Scan all imported data for malware.
  • Minimize network exposure.
  • Keep software, OS, firmware, antivirus, and firewalls updated.
  • Use secure protocols like HTTPS.
  • Employ VPNs for remote access.

Support

For additional support, contact ABB service or visit ABB Cybersecurity.

Source: ABB Cyber Security Advisory – Rev A (2024-06-03)