Vulnerabilities > Johnsoncontrols > Metasys Open Application Server > 11.0

DATE CVE VULNERABILITY TITLE RISK
2023-01-13 CVE-2021-36204 Insufficiently Protected Credentials vulnerability in Johnsoncontrols products
Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.
network
low complexity
johnsoncontrols CWE-522
7.5
2022-07-22 CVE-2021-36200 Missing Authentication for Critical Function vulnerability in Johnsoncontrols products
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
network
low complexity
johnsoncontrols CWE-306
5.3
2022-06-15 CVE-2022-21938 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
network
low complexity
johnsoncontrols CWE-79
5.4
2022-06-15 CVE-2022-21935 Improper Authentication vulnerability in Johnsoncontrols products
A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.
network
low complexity
johnsoncontrols CWE-287
7.5
2022-06-15 CVE-2022-21937 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.
network
low complexity
johnsoncontrols CWE-79
5.4
2022-05-06 CVE-2022-21934 Improper Authentication vulnerability in Johnsoncontrols products
Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.
network
low complexity
johnsoncontrols CWE-287
8.8
2022-04-29 CVE-2021-36207 Improper Privilege Management vulnerability in Johnsoncontrols products
Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.
network
low complexity
johnsoncontrols CWE-269
8.8
2022-04-15 CVE-2021-36205 Incomplete Cleanup vulnerability in Johnsoncontrols products
Under certain circumstances the session token is not cleared on logout.
network
low complexity
johnsoncontrols CWE-459
critical
9.8
2022-04-07 CVE-2021-36202 Server-Side Request Forgery (SSRF) vulnerability in Johnsoncontrols products
Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature.
network
low complexity
johnsoncontrols CWE-918
8.8