All versions of Honeywell Tuxedo Touch Controller are vulnerable to authentication bypass and cross-site request forgery (CSRF).
CWE-603: Use of Client-Side Authentication - CVE-2015-2847
A remote, unauthenticated attacker may be able to bypass authentication checks to view restricted pages, or trick an authenticated user into making an unintentional request to the web server which will be treated as an authentic request. Compromised Tuxedo Touch Controllers may be leveraged to operate home automation devices, such as unlocking or locking doors.
Apply an update
Thanks to Maxim Rupp for reporting this vulnerability.
This document was written by Joel Land.