Vulnerabilities > Johnsoncontrols > Metasys Open Application Server > 11.0

DATE	CVE	VULNERABILITY TITLE	RISK
2023-01-13	CVE-2021-36204	Insufficiently Protected Credentials vulnerability in Johnsoncontrols products Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. network low complexity johnsoncontrols CWE-522	7.5
2022-07-22	CVE-2021-36200	Missing Authentication for Critical Function vulnerability in Johnsoncontrols products Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. network low complexity johnsoncontrols CWE-306	5.3
2022-06-15	CVE-2022-21938	Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. network low complexity johnsoncontrols CWE-79	5.4
2022-06-15	CVE-2022-21935	Improper Authentication vulnerability in Johnsoncontrols products A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. network low complexity johnsoncontrols CWE-287	7.5
2022-06-15	CVE-2022-21937	Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. network low complexity johnsoncontrols CWE-79	5.4
2022-05-06	CVE-2022-21934	Improper Authentication vulnerability in Johnsoncontrols products Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. network low complexity johnsoncontrols CWE-287	8.8
2022-04-29	CVE-2021-36207	Improper Privilege Management vulnerability in Johnsoncontrols products Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. network low complexity johnsoncontrols CWE-269	8.8
2022-04-15	CVE-2021-36205	Incomplete Cleanup vulnerability in Johnsoncontrols products Under certain circumstances the session token is not cleared on logout. network low complexity johnsoncontrols CWE-459 critical	9.8
2022-04-07	CVE-2021-36202	Server-Side Request Forgery (SSRF) vulnerability in Johnsoncontrols products Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. network low complexity johnsoncontrols CWE-918	8.8

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.