Tony West

**Name of the Vulnerable Software and Affected Versions** SCT/SCT Pro versions prior to 14.2.2 **Description** The issue allows an attacker to identify and forge requests to internal systems by sending a specially crafted request. This could enable the attacker to determine if specific files or paths exist. **Recommendations** For versions prior to 14.2.2, update to version 14.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to internal systems to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Johnson Controls Metasys versions prior to 10.1.5 Johnson Controls Metasys versions prior to 11.0.2 **Description** A Server-Side Request Forgery (SSRF) issue in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. **Recommendations** For versions prior to 10.1.5, update to version 10.1.5 or later to resolve the issue. For versions prior to 11.0.2, update to version 11.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the MUI PDF export feature until a patch is available.