Medium
Johnson Controls Metasys SCT Pro is vulnerable to server-side request forgery, caused by improper validation of user requests. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to access or manipulate resources from the perspective of the affected server.
Refer to Johnson Controls Product Security Advisory for patch, upgrade or suggested workaround information.