All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries.
https://www.johnsoncontrols.com/cyber-solutions/security-advisories