3Ndg4Me

**Name of the Vulnerable Software and Affected Versions** Automated Logic WebCTRL/WebCTRL OEM versions 6.5 and below **Description** The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains an issue that allows for reflected XSS attacks due to the `operatorlocale` GET parameter not being sanitized. This occurs when a basic XSS payload is passed to the vulnerable `operatorlocale` parameter, which is then reflected in the output without proper sanitization. **Recommendations** For versions 6.5 and below, consider disabling the `operatorlocale` parameter in the login portal until a patch is available to prevent reflected XSS attacks. Restrict access to the login portal to minimize the risk of exploitation. Avoid using the `operatorlocale` parameter in the affected API endpoint until the issue is resolved.