These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2017-5143 is a high-severity directory traversal issue in Honeywell XL Web II controller web interfaces. According to the NVD record, a user without authenticating can trigger directory traversal by accessing a specific URL. The issue is rated CVSS 8.6 and was published on 2017-02-13.
CVE-2017-5142 is a critical Honeywell XL Web II / XLWeb 500 controller issue where a low-privileged user can access a specific URL to open and change parameters because of improper privilege management. The published CVSS 3.0 vector indicates network accessibility, low attack complexity, low privileges required, no user interaction, and impact to confidentiality, integrity, and availability.
CVE-2017-5141 affects Honeywell XL Web II controller software and is described as a session fixation issue. An attacker can establish a new user session without invalidating the existing session identifier, creating an opportunity to steal authenticated sessions. The CVE was published on 2017-02-13 and later modified in NVD on 2026-05-13.
CVE-2017-5140 is a critical credential-protection weakness in Honeywell XL Web II controller software. NVD describes the issue as a password being stored in clear text in XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. Because the secret can be exposed rather than protected, an attacker who can access the stored value may be able to reuse credentials and gain broader contr [truncated]
CVE-2017-5139 is a critical Honeywell XL Web II controller issue where a password can be disclosed by accessing a specific URL. NVD classifies the weakness as CWE-522 (insufficiently protected credentials) and rates the issue CVSS 3.0 9.8, reflecting network accessibility, no required privileges, no user interaction, and high impact to confidentiality, integrity, and availability. The affected products li [truncated]