4 matches found
Automated Logic Corporation WebCTRL Improper Restriction of XML External Entity Reference (CVE-2018-8819)
An XXE issue was discovered in Automated Logic Corporation ALC WebCTRL Versions 6.0, 6.1 and 6.5. An unauthenticated attacker could enter malicious input to WebCTRL and a weakly configured XML parser will allow the application to disclose full file contents from the underlying web server OS via t...
CVE-2018-8819
The CVE-2018-8819 issue affects Automated Logic Corporation (ALC) WebCTRL versions 6.0, 6.1 and 6.5. It is an XML External Entity (XXE) vulnerability in a weakly configured XML parser that allows an unauthenticated attacker to disclose full file contents from the underlying web server OS via the ...
How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL
I like to do bug bounties from time to time, mostly when I am sacrificing sleep once the kids are finally out cold. This seemed like a worthy experience to document. Let me just start by saying I dont plan on going into the whole recon bits too deeply here. Maybe I will someday if I ever have...
WebCTRL Out-Of-Band XML Injection
CVE-2018-8819 Product Description WebCTRL is a BACnet native, intelligent, HVAC and energy control system for your building. A proven, industry-leading system, the WebCTRLAr building automation system gives you the ability to fully understand your operations and analyze the results with tools tha...