CVE-2020-7575

Name of the Vulnerable Software and Affected Versions Climatix POL908 (BACnet/IP module) (All versions) Climatix POL909 (AWM module) versions prior to V11.32

Description A persistent cross-site scripting (XSS) issue exists in the web server access log page, allowing an attacker to inject arbitrary JavaScript code via specially crafted GET requests to / API endpoints, potentially exploiting the user session variable. This could be executed later by another privileged user, compromising the confidentiality and integrity of other users' web sessions. The issue can be exploited by an attacker with network access, requiring no system privileges.

Recommendations For Climatix POL908 (BACnet/IP module), at the moment, there is no information about a newer version that contains a fix for this vulnerability. For Climatix POL909 (AWM module) versions prior to V11.32, update to version V11.32 or later to resolve the issue. As a temporary workaround, consider restricting access to the web server access log page until a patch is available.