Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in ABB T-MAC Plus.

This issue affects T-MAC Plus: 4.0-24.
Published: 2026-06-03
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw, meaning user‑supplied data written to the database is later rendered without proper neutralization. This allows an attacker to inject JavaScript that executes in the browsers of any users who view the affected page. When executed, the script can steal session cookies, perform actions on behalf of the user, or redirect the user to malicious sites. The weakness is classified as CWE‑79.

Affected Systems

ABB T‑MAC Plus is affected, specifically versions from 4.0 up to 24. No other products or vendor versions are listed as impacted in the data.

Risk and Exploitability

The CVSS score of 7.2 indicates a high potential for significant impact. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, so the public exploitation window is uncertain. The likely attack vector is via the web management interface where malicious input can be stored and later rendered. An attacker would need to supply malicious input, which may be possible if authentication controls or input validation are weak in the application. The lack of an EPSS score makes it difficult to gauge present threat, but the high CVSS suggests that if exploited, the damage could be substantial to any compromised user session.

Generated by OpenCVE AI on June 3, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ABB T‑MAC Plus patch or firmware update that addresses the cross‑site scripting issue.
  • Restrict access to the T‑MAC Plus web interface to trusted network hosts or VPN users only.
  • Configure a web application firewall or implement strict input‑validation rules to remove dangerous characters before rendering content in browsers.

Generated by OpenCVE AI on June 3, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24.
Title Stored Cross-Site Scripting in ABB T-MAC Plus web application
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ABB

Published:

Updated: 2026-06-03T12:24:07.651Z

Reserved: 2025-12-16T03:47:13.941Z

Link: CVE-2025-14773

cve-icon Vulnrichment

Updated: 2026-06-03T12:24:03.390Z

cve-icon NVD

Status : Received

Published: 2026-06-03T11:16:18.940

Modified: 2026-06-03T11:16:18.940

Link: CVE-2025-14773

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T12:30:26Z

Weaknesses