Steve Knabe

**Name of the Vulnerable Software and Affected Versions** ALC WebCTRL versions prior to 8.6 Carrier i-Vu versions prior to 8.6 **Description** An access control bypass exists in ALC WebCTRL and Carrier i-Vu. This allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web-based building automation server. An unauthenticated attacker can remotely access sensitive building management system data. **Recommendations** Update ALC WebCTRL to a version prior to 8.6. Update Carrier i-Vu to a version prior to 8.6.

**Name of the Vulnerable Software and Affected Versions** ALC WebCTRL and Carrier i-Vu versions prior to 8.0 **Description** A reflective cross-site scripting issue exists in login panels. This allows a malicious actor to compromise the client browser. **Recommendations** Update ALC WebCTRL and Carrier i-Vu to version 8.0 or later.