VYPR
Vendor

Automated Logic

Products
5
CVEs
18
Across products
31
Status
Private

Products

5

Recent CVEs

18
  • CVE-2024-8525CriNov 21, 2024
    risk 0.65cvss epss 0.01

    An unrestricted upload of file with dangerous type in Automated Logic WebCTRL 7.0 could allow an unauthenticated user to perform remote command execution via a crafted HTTP POST request which could lead to uploading a malicious file.

  • CVE-2024-5539CriNov 27, 2025
    risk 0.60cvss epss 0.00

    The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server.

  • CVE-2024-8527HigNov 19, 2025
    risk 0.56cvss epss 0.00

    Open Redirect in URL parameter in Automated Logic WebCTRL and Carrier i-Vu versions 6.0, 6.5, 7.0, 8.0, 8.5, 9.0 may allow attackers to exploit user sessions.

  • CVE-2017-9650HigAug 25, 2017
    risk 0.54cvss 7.8epss 0.02

    An Unrestricted Upload of File with Dangerous Type issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior;…

  • CVE-2018-8819HigJun 14, 2018
    risk 0.49cvss 7.5epss 0.03

    An XXE issue was discovered in Automated Logic Corporation (ALC) WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying…

  • CVE-2017-9644HigAug 25, 2017
    risk 0.49cvss 7.0epss 0.01

    An Unquoted Search Path or Element issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web 6.5 and prior; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL,…

  • CVE-2016-5795HigAug 31, 2017
    risk 0.48cvss 7.3epss 0.02

    An XXE issue was discovered in Automated Logic Corporation (ALC) Liebert SiteScan Web Version 6.5 and prior, ALC WebCTRL Version 6.5 and prior, and Carrier i-Vu Version 6.5 and prior. An attacker could enter malicious input to WebCTRL, i-Vu, or SiteScan Web through a weakly…

  • CVE-2025-14295HigJan 22, 2026
    risk 0.46cvss epss 0.00

    Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access stored passwords in a…

  • CVE-2024-5540MedNov 27, 2025
    risk 0.45cvss epss 0.00

    The reflective cross-site scripting vulnerability found in ALC WebCTRL and Carrier i-Vu in versions older than 8.0 affects login panels allowing a malicious actor to compromise the client browser .

  • CVE-2017-9640MedAug 25, 2017
    risk 0.45cvss 6.3epss 0.08

    A Path Traversal issue was discovered in Automated Logic Corporation (ALC) ALC WebCTRL, i-Vu, SiteScan Web prior to 6.5; ALC WebCTRL, SiteScan Web 6.1 and prior; ALC WebCTRL, i-Vu 6.0 and prior; ALC WebCTRL, i-Vu, SiteScan Web 5.5 and prior; and ALC WebCTRL, i-Vu, SiteScan Web…

  • CVE-2024-8526MedNov 21, 2024
    risk 0.38cvss epss 0.01

    A vulnerability in Automated Logic WebCTRL 7.0 could allow an attacker to send a maliciously crafted URL, which when visited by an authenticated WebCTRL user, could result in the redirection of the user to a malicious webpage via "index.jsp"

  • CVE-2024-8528MedNov 19, 2025
    risk 0.35cvss epss 0.00

    Reflected XSS using a specific URL in Automated Logic WebCTRL and Carrier i-VU can allow delivery of malicious payload due to a specific GET parameter not being sanitized.

  • CVE-2021-31682Oct 22, 2021
    risk 0.06cvss epss 0.11

    The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a…

  • CVE-2026-24060Mar 20, 2026
    risk 0.00cvss epss 0.00

    Service information is not encrypted when transmitted as BACnet packets over the wire, and can be sniffed, intercepted, and modified by an attacker. Valuable information such as the File Start Position and File Data can be sniffed from network traffic using Wireshark's BACnet…

  • CVE-2026-32666Mar 20, 2026
    risk 0.00cvss epss 0.00

    WebCTRL systems that communicate over BACnet inherit the protocol's lack of network layer authentication. WebCTRL does not implement additional validation of BACnet traffic so an attacker with network access could spoof BACnet packets directed at either the WebCTRL server or…

  • CVE-2026-25086Mar 20, 2026
    risk 0.00cvss epss 0.00

    Under certain conditions, an attacker could bind to the same port used by WebCTRL. This could allow the attacker to craft and send malicious packets and impersonate the WebCTRL service without requiring code injection into the WebCTRL software.

  • CVE-2022-1019Apr 19, 2022
    risk 0.00cvss epss 0.01

    Automated Logic's WebCtrl Server Version 6.1 'Help' index pages are vulnerable to open redirection. The vulnerability allows an attacker to send a maliciously crafted URL which could result in redirecting the user to a malicious webpage or downloading a malicious file.

  • CVE-2020-19762Feb 22, 2021
    risk 0.00cvss epss 0.01

    Automated Logic Corporation (ALC) WebCTRL System 6.5 and prior allows remote attackers to execute any JavaScript code via a XSS payload for the first parameter in a GET request.