CVE-2020-9049
HIGHAmerican Dynamics victor Web Client <5.6 & Software House CCURE Web Client <2.90 - DoS via JWT Bypass
Title source: llmDescription
A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Patch, Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert
https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01
Scores
CVSS v3
7.1
EPSS
0.0053
EPSS Percentile
40.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Details
CWE
CWE-285
CWE-287
Status
published
Products (2)
johnsoncontrols/c-cure_web
< 2.90
johnsoncontrols/victor_web
< 5.6
Published
Nov 19, 2020
Tracked Since
Feb 18, 2026