Automated Logic: Automated Logic WebCTRL / Carrier i-Vu: Reflective XSS in Login Panel
CWE-79
Cross-site Scripting
—
Summary
Per NVD: “The reflective cross-site scripting vulnerability found in ALC WebCTRL and Carrier i-Vu in versions older than 8.0 affects login panels allowing a malicious actor to compromise the client browser.”
Affected Packages / Versions
- Package:
Automated Logic WebCTRL / Carrier i-Vu(—) - Latest published version at triage time:
Per NVD: versions older than 8.0 - Affected range:
WebCTRL and Carrier i-Vu versions older than 8.0 (per NVD) - Patched version:
See Carrier Product Security advisory list (corporate.carrier.com/product-security/advisories-resources/)
Impact
NVD’s description ends at “compromise the client browser.” Specific downstream effects (operator session hijack, BMS configuration actions) are not stated by NVD and should be confirmed with the researcher.
Severity Rationale
NVD does not list a CVSS score for this CVE at fetch time; the Praetorian cve-research listing assigns CVSS 6.9 (Medium). Reviewer should confirm the score source before publication.
Fix
Apply the Automated Logic / Carrier security update. Vendor advisories are listed at corporate.carrier.com/product-security/advisories-resources/.
Disclosure timeline
- TBDReported to vendor
- TBDPatch released
- TBDPublic disclosure
Fix Commit(s)
References
Discovered by Praetorian Labs · Published April 29, 2026