CVE-2024-5540

Vulnerability

Overview

CVE-2024-5540 is a reflected cross-site scripting (XSS) vulnerability affecting the login panels of Automated Logic WebCTRL and Carrier i-Vu building automation systems running versions older than 8.0. The vulnerability stems from improper neutralization of user-supplied input during login page rendering, allowing an attacker to inject arbitrary web scripts or HTML into the page response [1].

Exploitation

An attacker can exploit this flaw by crafting a malicious link that, when clicked by an authenticated or unauthenticated user, reflects the injected script in the login panel's response. No special network access is required beyond the ability to deliver the link to a user (e.g., via email or a compromised site). The attack does not require authentication to the target system, as the login page is publicly accessible [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, or further compromise of the client's interactions with the building management system. The vulnerability is rated Medium severity (CVSS 6.1) due to the need for user interaction and the potential for data exposure [1].

Mitigation

Carrier and Automated Logic have addressed this issue in version 8.0 and later. Users are strongly advised to upgrade to the latest supported release. No workarounds have been published; however, restricting access to the login page via network segmentation can reduce exposure. The advisory CARR-PSA-2025-03 provides full details [1].