CVE-2020-7574

Name of the Vulnerable Software and Affected Versions Climatix POL908 (BACnet/IP module) (All versions) Climatix POL909 (AWM module) versions prior to V11.32

Description A persistent cross-site scripting (XSS) issue exists in the "Server Config" web interface, allowing an attacker to inject arbitrary JavaScript code. This code could be executed later by another user, potentially compromising the confidentiality and integrity of their web session. The issue can be exploited by an attacker with network access, and no system privileges are required.

Recommendations For Climatix POL908 (BACnet/IP module), at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Climatix POL909 (AWM module) versions prior to V11.32, update to version V11.32 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Server Config" web interface until a patch is available.