Vulnerabilities > Johnsoncontrols > Metasys Extended Application AND Data Server > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-10-07 CVE-2022-21936 Improper Authentication vulnerability in Johnsoncontrols Metasys Extended Application and Data Server 12.0
On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI.
network
low complexity
johnsoncontrols CWE-287
6.5
2022-07-22 CVE-2021-36200 Missing Authentication for Critical Function vulnerability in Johnsoncontrols products
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
network
low complexity
johnsoncontrols CWE-306
5.3
2022-06-15 CVE-2022-21938 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
network
low complexity
johnsoncontrols CWE-79
5.4
2022-06-15 CVE-2022-21937 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.
network
low complexity
johnsoncontrols CWE-79
5.4