CVE-2020-9049

Summary

A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.

Affected Software

VendorProductVersion RangeStatus
Johnson Controlsvictor Web Client version 5.6 and priorunspecified <= 5.6affected
Johnson ControlsC•CURE Web Client version 2.90 and prior (Note - This does not affect the new web-based C•CURE 9000 client that was introduced in C•CURE 9000 v2.90)unspecified <= 2.90affected

Weaknesses

  • CWE-285: CWE-285 : Improper Access Control (Authorization)

ADP Enrichment

CVE Program Container

Additional References

References