1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely  Vendor: Johnson Controls  Equipment:  System Configuration Tool  Vulnerabilities: Sensitive Cookie Without ‘HttpOnly’ Flag, Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute  2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access cookies and take over the…