Vulnerabilities > Johnsoncontrols

DATE	CVE	VULNERABILITY TITLE	RISK
2023-05-18	CVE-2023-2024	Improper Authentication vulnerability in Johnsoncontrols Openblue Enterprise Manager Data Collector Improper authentication in OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 allow access to an unauthorized user under certain circumstances. network low complexity johnsoncontrols CWE-287	7.5
2023-05-18	CVE-2023-2025	Exposure of Resource to Wrong Sphere vulnerability in Johnsoncontrols Openblue Enterprise Manager Data Collector OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 may expose sensitive information to an unauthorized user under certain circumstances. network low complexity johnsoncontrols CWE-668	6.5
2023-02-09	CVE-2022-21939	Cross-site Scripting vulnerability in Johnsoncontrols Metasys System Configuration Tool Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. network low complexity johnsoncontrols CWE-79	6.1
2023-02-09	CVE-2022-21940	Cross-site Scripting vulnerability in Johnsoncontrols Metasys System Configuration Tool Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. network low complexity johnsoncontrols CWE-79	6.1
2023-01-13	CVE-2021-36204	Insufficiently Protected Credentials vulnerability in Johnsoncontrols products Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. network low complexity johnsoncontrols CWE-522	7.5
2022-10-28	CVE-2021-36206	Cross-site Scripting vulnerability in Johnsoncontrols Cevas All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries. network low complexity johnsoncontrols CWE-79	6.1
2022-10-11	CVE-2021-36201	Information Exposure Through Discrepancy vulnerability in Johnsoncontrols C-Cure 9000 Firmware 2.70/2.80/2.90 Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions. network low complexity johnsoncontrols CWE-203	5.3
2022-10-07	CVE-2022-21936	Improper Authentication vulnerability in Johnsoncontrols Metasys Extended Application and Data Server 12.0 On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. network low complexity johnsoncontrols CWE-287	6.5
2022-08-31	CVE-2022-21941	Command Injection vulnerability in Johnsoncontrols Istar Ultra Firmware All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system. network low complexity johnsoncontrols CWE-77 critical	9.8
2022-06-15	CVE-2022-21938	Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. network johnsoncontrols CWE-79	3.5

Vulnerabilities > Johnsoncontrols {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"Johnsoncontrols"}]}

Vulnerabilities > Johnsoncontrols