Overview
An authenticated exacqVision Enterprise Manager user could access a web page that does not properly preserve the web page structure.
Impact
The software does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed as output used as a web page that is served to other users.
Affected Versions
All versions of exacqVision Enterprise Manager up to and including version 20.12.
Mitigation
Upgrade all previous versions of exacqVision Enterprise Manager to the latest version 21.03+.
Current users can obtain the critical software update from the Software Downloads location https://www.exacq.com/support/downloads.php?section=esm
Resources
Cyber Solutions Website – https://www.johnsoncontrols.com/cyber-solutions/security-advisories JCI-PSA-2021-08
CVE-2021-27658 – NIST National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/detail/CVE-2021-27658 and MITRE CVE® https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27658