Session cookie exposure for client side script
CVE-2023-2876

6.1MEDIUM

Key Information:

Vendor: ABB
Status: REX640 PCL1; REX640 PCL2; REX640 PCL3
Vendor: CVE Published:; 13 June 2023

What is CVE-2023-2876?

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in ABB REX640 PCL1 (firmware modules), ABB REX640 PCL2 (Firmware modules), ABB REX640 PCL3 (firmware modules) allows Cross-Site Scripting (XSS).This issue affects REX640 PCL1: from 1.0;0 before 1.0.8; REX640 PCL2: from 1.0;0 before 1.1.4; REX640 PCL3: from 1.0;0 before 1.2.1.

Affected Version(s)

REX640 PCL1 1.0;0 < 1.0.8

REX640 PCL2 1.0;0 < 1.1.4

REX640 PCL3 1.0;0 < 1.2.1

References

https://search.abb.com/library/Download.aspx?DocumentID=2...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 13, 2023
Vulnerability Reserved
May 24, 2023

Credit

ABB thanks Paul Mader and Gianluca Raberger of VERBUND AG's OT Cyber Security Lab for helping to identify the vulnerabilities and protecting our customers.