CVE-2021-31682 Scanner

Automated Logic WebCTRL/WebCTRL OEM is a web application used for monitoring and controlling HVAC systems in buildings. This product is widely used in commercial buildings to ensure the comfort and safety of occupants through optimized heating, ventilation, and air conditioning. It allows facility managers to remotely control and monitor HVAC equipment, temperature, humidity, and lighting.

CVE-2021-31682 is a vulnerability detected in the Automated Logic WebCTRL/WebCTRL OEM login portal. Due to the operatorlocale GET parameter not being sanitized, reflected XSS attacks can be executed. This vulnerability affects versions 6.5 and below. Attackers can exploit this flaw by injecting malicious code into a GET parameter, which will be reflected back to the user's browser without sanitization.

This vulnerability can lead to a variety of negative consequences when exploited. Attackers can steal sensitive data, such as login credentials, by tricking users into clicking on a malicious link. They can also inject malware, creating a backdoor that allows them unrestricted access to the HVAC system. This can result in significant damage to the building's infrastructure, compromised security, and financial loss.

At s4e.io, we provide a platform that enables users to quickly and easily identify vulnerabilities in their digital assets. Our pro features allow users to perform in-depth vulnerability scans, receive real-time alerts, and access an extensive database of security issues. By leveraging the power of our platform, users can proactively identify and resolve security issues before they become a problem. With s4e.io, you can rest assured that your digital assets are always secure.

REFERENCES

• http://packetstormsecurity.com/files/164707/WebCTRL-OEM-6.5-Cross-Site-Scripting.html
• https://github.com/3ndG4me/WebCTRL-OperatorLocale-Parameter-Reflected-XSS
• https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/