All CISA Advisories, EN

Johnson Controls exacqVision Server Web Service

2024-08-01 16:08

1. EXECUTIVE SUMMARY

CVSS v4 7.6
ATTENTION: Exploitable remotely
Vendor: Johnson Controls Inc.
Equipment: exacqVision Web Service
Vulnerability: Permissive Cross-domain Policy with Untrusted Domains

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to send an unauthorized request or access data from an untrusted domain.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of exacqVision Web Service are affected:

exacqVision Web Service: 22.12.1.0

3.2 Vulnerability Overview

3.2.1 Permissive Cross-domain Policy with Untrusted Domains CWE-942

Under certain circumstances the exacqVision web service does not provide sufficient protection from untrusted domains.

CVE-2024-32862 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-32862 . A base score of 7.6 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COM

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article:

Johnson Controls exacqVision Server Web Service

Tags: All CISA Advisories EN

Post navigation

← Fortinet’s Progress on its Secure by Design Pledge Commitments

Johnson Controls exacqVision Web Service →

Search for:
Pages

Advertising

Contact

Legal and Contact information

Opt-out preferences

Privacy Policy

Social Media

Apps

Telegram Channel

Recent Posts

IT Security News Hourly Summary 2025-08-04 09h : 6 posts August 4, 2025

Drone Leader DJI Launches First 360-Degree Camera August 4, 2025

China’s ‘Instant Commerce’ Companies Call Truce On Price War August 4, 2025

APT37 Hackers Weaponizes JPEG Files to Attack Windows Systems Leveraging “mspaint.exe” August 4, 2025

Interlock Ransomware Employs ClickFix Technique to Run Malicious Commands on Windows Machines August 4, 2025

Microsoft PlayReady DRM Used by Netflix, Amazon, and Disney+ Leaked Online August 4, 2025

A week in security (July 28 – August 3) August 4, 2025

Augmented Empathy: Head-to-Head Interview August 4, 2025

PlayPraetor Android Trojan Infects 11,000+ Devices via Fake Google Play Pages and Meta Ads August 4, 2025

#BHUSA: Cloud Intrusions Skyrocket in 2025 August 4, 2025

Akira’s SonicWall zero-day, UK Legal-Aid suffers, Luxembourg 5G attack August 4, 2025

Cybersecurity Today: Hamilton’s Ransomware Crisis and Emerging AI and OAuth Threats August 4, 2025

Augmented Empathy: How AI is Redefining Human-Centric CX (Part 2) August 4, 2025

Nvidia Denies Chip Backdoors Amidst China Probe August 4, 2025

Critical Squid Flaw Allows Remote Code Execution by Attackers August 4, 2025

China’s botched Great Firewall upgrade invites attacks on its censorship infrastructure August 4, 2025

Critical HashiCorp Vulnerability Allows Attackers to Run Code on Host Machine August 4, 2025

APT37 Hackers Weaponizes JPEG Files to Attack Windows Systems Leveraging “mspaint.exe” File August 4, 2025

NestJS Vulnerability Allows Code Execution on Developer Machines August 4, 2025

AI-Powered Cursor IDE Exposes Users to Silent Remote Code Execution August 4, 2025

Copyright © 2025 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com.

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}