For ABB eSOMS versions 4.0 to 6.0.2, the X-Frame-Options header is not configured in HTTP response. This can potentially allow 'ClickJacking' attacks where an attacker can frame parts of the application on a malicious web site, revealing sensitive user information such as authentication credentials.
Para ABB eSOMS versiones 4.0 hasta 6.0.2, el encabezado X-Frame-Options no está configurado en la respuesta HTTP. Esto puede permitir potencialmente ataques de tipo "ClickJacking" donde un atacante puede enmarcar partes de la aplicación en un sitio web malicioso, revelando información confidencial del usuario, tales como credenciales de autenticación.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | NONE |
| Availability Impact | NONE |
AV:N/AC:M/Au:N/C:P/I:N/A:N
| Access Vector | NETWORK |
|---|---|
| Access Complexity | MEDIUM |
| Authentication | NONE |
| Confidentiality Impact | PARTIAL |
| Integrity Impact | NONE |
| Availability Impact | NONE |
| Source | Type | Description |
|---|---|---|
| [email protected] | Secondary |
en
CWE-16
|
| [email protected] | Primary |
en
CWE-1021
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| hitachienergy | esoms | * | <built-in method update of dict object at 0x72a9cc76d340> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:hitachienergy:esoms:*:*:*:*:*:*:*:* |