The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser.
Credits
Maximilian Hildebrand of G DATA Advanced Analytics reported this vulnerability to CISA.
