Vulnerabilities > Johnsoncontrols > Metasys Open Application Server > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-07-22 CVE-2021-36200 Missing Authentication for Critical Function vulnerability in Johnsoncontrols products
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
network
low complexity
johnsoncontrols CWE-306
5.3
2022-06-15 CVE-2022-21938 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
network
low complexity
johnsoncontrols CWE-79
5.4
2022-06-15 CVE-2022-21937 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.
network
low complexity
johnsoncontrols CWE-79
5.4