CVE-2020-28210 in EcoStruxure Building Operation WebStation
Summary
by MITRE • 11/20/2020
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) vulnerability exists in EcoStruxure Building Operation WebStation V2.0 - V3.1 that could cause an attacker to inject HTML and JavaScript code into the user's browser.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/29/2026
The vulnerability identified as CVE-2020-28210 represents a critical cross-site scripting flaw classified under CWE-79, which specifically addresses improper neutralization of input during web page generation. This vulnerability affects EcoStruxure Building Operation WebStation versions 2.0 through 3.1, exposing users to significant security risks through malicious code injection attacks. The flaw occurs when user-supplied input is not properly sanitized before being rendered in web pages, creating an exploitable condition that allows attackers to manipulate the application's output.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the web application's rendering pipeline. When users interact with the WebStation interface and provide input through various form fields or parameters, the application fails to adequately escape or sanitize this data before incorporating it into dynamically generated HTML content. This improper handling creates an opening for attackers to inject malicious scripts that execute within the context of other users' browsers, potentially leading to session hijacking, data theft, or further exploitation of the compromised systems.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a range of malicious activities within the targeted environment. An attacker could leverage this vulnerability to steal user credentials, access sensitive building management data, or manipulate building automation systems through the compromised web interface. The attack surface is particularly concerning given that EcoStruxure Building Operation targets industrial control systems and building management environments where the compromise of web interfaces could lead to physical security breaches or operational disruptions. This vulnerability directly aligns with ATT&CK technique T1566 for initial access through phishing and T1059 for command and script injection, making it a significant vector for broader attack chains.
Organizations utilizing affected versions of EcoStruxure Building Operation WebStation should prioritize immediate remediation through official vendor patches or updates. The mitigation strategy should include comprehensive input validation, output encoding, and implementation of Content Security Policy headers to prevent unauthorized script execution. Additionally, network segmentation and monitoring of web application traffic can help detect and prevent exploitation attempts. Security teams should also conduct thorough vulnerability assessments of their industrial control systems to identify similar vulnerabilities in other applications and ensure proper security controls are in place throughout their operational technology environments.