← Back to home
ICSA-22-109-02  ·  Published 2022-04-19  ·  View on CISA ICS-CERT ↗

Automated Logic WebCTRL

CVSS 5.2 MEDIUM

Risk Summary

Successful exploitation of this vulnerability could allow an attacker to redirect the user to a malicious webpage or to download a malicious file.

CVEs (1)

Remediations

  • Carrier recommends users contact an Automated Logic dealer for instructions to download the latest version of WebCTRL.
  • An administrator can add the CSP header/meta tag to each “index.htm” file in each of the directories under “<install_dir>/webroot/_common/lvl5/help/*”
  • Example would read: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src 'self' data:; font-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'">
  • Please see Carrier product security advisory CARR-PSA-001-1121 for more information.

Affected Vendors

Automated Logic Corporation (ALC)

Affected Products (1)

Automated Logic Corporation (ALC) · WebCtrl Server <7.0

Affected Sectors

Commercial Facilities

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more