Vulnerabilities > Johnsoncontrols > Metasys Application AND Data Server
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-13 | CVE-2021-36204 | Insufficiently Protected Credentials vulnerability in Johnsoncontrols products Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. | 7.5 |
| 2022-06-15 | CVE-2022-21938 | Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. | 3.5 |
| 2022-06-15 | CVE-2022-21935 | Improper Authentication vulnerability in Johnsoncontrols products A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. | 5.0 |
| 2022-06-15 | CVE-2022-21937 | Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. | 2.1 |
| 2022-05-06 | CVE-2022-21934 | Improper Authentication vulnerability in Johnsoncontrols products Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. | 6.0 |
| 2022-04-29 | CVE-2021-36207 | Improper Privilege Management vulnerability in Johnsoncontrols products Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. | 8.5 |
| 2022-04-15 | CVE-2021-36205 | Incomplete Cleanup vulnerability in Johnsoncontrols products Under certain circumstances the session token is not cleared on logout. | 6.8 |
| 2022-04-07 | CVE-2021-36202 | Server-Side Request Forgery (SSRF) vulnerability in Johnsoncontrols products Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. | 6.5 |
| 2020-03-10 | CVE-2020-9044 | XXE vulnerability in Johnsoncontrols products XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. | 6.4 |