CVE-2024-8528

Vulnerability

Overview

CVE-2024-8528 is a reflected cross-site scripting (XSS) vulnerability affecting Automated Logic WebCTRL and Carrier i-Vu building management systems. The root cause is a specific GET parameter that is not properly sanitized before being reflected back to the user, enabling an attacker to inject arbitrary JavaScript or HTML into the response [1].

Exploitation

Prerequisites

An attacker can exploit this vulnerability by crafting a malicious URL containing the unsanitized GET parameter and tricking a victim into clicking it. No authentication is required to trigger the reflection, but the victim must be logged into the application for the injected script to execute in the context of their session. The attack vector is network-based, requiring only that the victim's browser can reach the affected server [1].

Impact

Successful exploitation allows an attacker to execute arbitrary script in the victim's browser within the security context of the vulnerable web application. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability is rated Medium severity, reflecting the need for user interaction and the potential for significant impact on confidentiality and integrity [1].

Mitigation

Carrier has published advisory CARR-PSA-2025-04 (ICSA-25-324-01) addressing this vulnerability. Users are advised to apply the recommended mitigations or updates provided by the vendor. As of the advisory date (November 18, 2025), no public exploitation has been reported, but prompt patching is recommended to reduce risk [1].