CVE-2019-19089

CWE-16CWE-94Code InjectionCWE-436Interpretation Conflict3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.4%
top 41.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Hitachienergy EsomsABB Esoms
Timeline
PublishedApr 2
Latest updateMay 24

Description

For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text interpreted as JavaScript.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDhitachienergy/esoms4.06.0.3
CVEListV5abb/esoms4.0 to 6.0.3

🔴Vulnerability Details

2
GHSA
GHSA-wfq4-f757-c65c: For ABB eSOMS versions 42022-05-24
CVEList
eSOMS: X-Content-Type-Options Header Missing2020-04-02
CVE-2019-19089 (MEDIUM CVSS 6.1) | For ABB eSOMS versions 4.0 to 6.0.3 | cvebase.io