CVE-2019-19002 in eSOMS
Summary
by MITRE
For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP response header is not set in responses from the web server. For older web browser not supporting Content Security Policy, this might increase the risk of Cross Site Scripting.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The vulnerability identified as CVE-2019-19002 affects ABB eSOMS web applications running versions 4.0 through 6.0.2, representing a significant security gap in the application's HTTP response headers configuration. This flaw specifically involves the absence of the X-XSS-Protection header, which serves as a crucial defensive mechanism in web application security. The vulnerability falls under the category of insecure HTTP header configuration and directly relates to CWE-16, which addresses configuration issues in software systems. The absence of this header in older browsers that lack support for Content Security Policy creates an exploitable condition that could allow malicious actors to inject and execute cross-site scripting attacks against unsuspecting users.
The technical flaw manifests when web servers fail to include the X-XSS-Protection HTTP response header in their responses, leaving applications vulnerable to XSS attacks in environments where browsers cannot rely on Content Security Policy for protection. This header typically contains directives that instruct browsers to enable built-in XSS filtering mechanisms, providing an additional layer of defense beyond traditional CSP implementations. The vulnerability is particularly concerning because it affects a range of versions within the eSOMS platform, indicating a widespread issue that could impact numerous installations across different operational environments. The lack of this header essentially removes a critical security control that modern web browsers can utilize to detect and prevent XSS attacks, particularly in legacy browser environments where CSP support is either absent or limited.
The operational impact of this vulnerability extends beyond simple security concerns to encompass potential data breaches, system compromise, and unauthorized access to sensitive operational data within industrial control systems. Organizations utilizing ABB eSOMS platforms may face increased risk of successful XSS attacks that could lead to credential theft, session hijacking, or the execution of malicious code within user browsers. The vulnerability aligns with ATT&CK technique T1203, which covers exploitation of web applications through cross-site scripting attacks, and represents a pathway for attackers to establish persistent access to industrial control environments. In industrial settings where ABB eSOMS systems manage critical infrastructure operations, the potential consequences of successful exploitation could include operational disruptions, safety hazards, and unauthorized control of industrial processes.
Security mitigation strategies should prioritize immediate implementation of the X-XSS-Protection header with appropriate configuration settings across all affected web server responses. Organizations should ensure that the header includes directives such as 'X-XSS-Protection: 1; mode=block' to enable browser-based XSS protection mechanisms. The remediation process should also include comprehensive testing to verify that the header is properly implemented and functioning across all supported browser versions. Additionally, organizations should consider implementing a layered security approach that includes regular security assessments, proper input validation, and enhanced monitoring of web application traffic. The vulnerability demonstrates the importance of maintaining current security configurations and highlights the need for continuous security auditing of industrial control systems. Organizations should also implement proper security awareness training for personnel who interact with these systems, as well as establish robust incident response procedures to address potential exploitation attempts.