CVE-2022-1019

Automated Logic WebCtrl Server Open Redirection Vulnerability

Description

Automated Logic's WebCtrl Server Version 6.1 'Help' index pages are vulnerable to open redirection. The vulnerability allows an attacker to send a maliciously crafted URL which could result in redirecting the user to a malicious webpage or downloading a malicious file.

Remediation

Solution:

  • Upgrade to the latest supported version of WebCtrl 7.0 “October 29, 2020 - cumulative patch” or later.

Workaround:

  • As a manual work around an administrator can add the CSP header/meta tag to each “index.htm” file in each of the directories under “/webroot/_common/lvl5/help/*”. These are the main index files for each help for each program/tool and are all web accessible. Example would read:

Category

5.2
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.24%
Third-Party Advisory carrier.com
Affected: Automated Logic WebCtrl Server
Published at:
Updated at:

References

Link Tags
https://www.corporate.carrier.com/Images/CARR-PSA-ALC-WebCTRL-001-1121_tcm558-149395.pdf mitigation third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-1019?
CVE-2022-1019 has been scored as a medium severity vulnerability.
How to fix CVE-2022-1019?
To fix CVE-2022-1019: Upgrade to the latest supported version of WebCtrl 7.0 “October 29, 2020 - cumulative patch” or later.
Is CVE-2022-1019 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-1019 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-1019?
CVE-2022-1019 affects Automated Logic WebCtrl Server.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.