Vulnerabilities > Johnsoncontrols > Metasys Extended Application AND Data Server > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-10-07 | CVE-2022-21936 | Improper Authentication vulnerability in Johnsoncontrols Metasys Extended Application and Data Server 12.0 On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. | 6.5 |
2022-07-22 | CVE-2021-36200 | Missing Authentication for Critical Function vulnerability in Johnsoncontrols products Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. | 5.3 |
2022-06-15 | CVE-2022-21938 | Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. | 5.4 |
2022-06-15 | CVE-2022-21937 | Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. | 5.4 |