Vulnerabilities > Johnsoncontrols > Metasys Application AND Data Server

DATE CVE VULNERABILITY TITLE RISK
2023-01-13 CVE-2021-36204 Insufficiently Protected Credentials vulnerability in Johnsoncontrols products
Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.
network
low complexity
johnsoncontrols CWE-522
7.5
2022-07-22 CVE-2021-36200 Missing Authentication for Critical Function vulnerability in Johnsoncontrols products
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
network
low complexity
johnsoncontrols CWE-306
5.3
2022-06-15 CVE-2022-21938 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
network
low complexity
johnsoncontrols CWE-79
5.4
2022-06-15 CVE-2022-21935 Improper Authentication vulnerability in Johnsoncontrols products
A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.
network
low complexity
johnsoncontrols CWE-287
7.5
2022-06-15 CVE-2022-21937 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.
network
low complexity
johnsoncontrols CWE-79
5.4
2022-05-06 CVE-2022-21934 Improper Authentication vulnerability in Johnsoncontrols products
Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.
network
low complexity
johnsoncontrols CWE-287
8.8
2022-04-29 CVE-2021-36207 Improper Privilege Management vulnerability in Johnsoncontrols products
Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.
network
low complexity
johnsoncontrols CWE-269
8.8
2022-04-15 CVE-2021-36205 Incomplete Cleanup vulnerability in Johnsoncontrols products
Under certain circumstances the session token is not cleared on logout.
network
low complexity
johnsoncontrols CWE-459
critical
9.8
2022-04-07 CVE-2021-36202 Server-Side Request Forgery (SSRF) vulnerability in Johnsoncontrols products
Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature.
network
low complexity
johnsoncontrols CWE-918
8.8
2020-03-10 CVE-2020-9044 XXE vulnerability in Johnsoncontrols products
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files.
network
low complexity
johnsoncontrols CWE-611
critical
9.1