Vulnerabilities > Johnsoncontrols
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-28 | CVE-2021-36206 | Cross-site Scripting vulnerability in Johnsoncontrols Cevas All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries. | 6.1 |
| 2022-10-11 | CVE-2021-36201 | Information Exposure Through Discrepancy vulnerability in Johnsoncontrols C-Cure 9000 Firmware 2.70/2.80/2.90 Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions. | 5.3 |
| 2022-10-07 | CVE-2022-21936 | Improper Authentication vulnerability in Johnsoncontrols Metasys Extended Application and Data Server 12.0 On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. | 6.5 |
| 2022-08-31 | CVE-2022-21941 | Command Injection vulnerability in Johnsoncontrols Istar Ultra Firmware All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system. | 9.8 |
| 2022-06-15 | CVE-2022-21938 | Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. | 3.5 |
| 2022-06-15 | CVE-2022-21935 | Improper Authentication vulnerability in Johnsoncontrols products A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. | 5.0 |
| 2022-06-15 | CVE-2022-21937 | Cross-site Scripting vulnerability in Johnsoncontrols products Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. | 2.1 |
| 2022-05-06 | CVE-2022-21934 | Improper Authentication vulnerability in Johnsoncontrols products Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. | 6.0 |
| 2022-04-29 | CVE-2021-36207 | Improper Privilege Management vulnerability in Johnsoncontrols products Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. | 8.5 |
| 2022-04-22 | CVE-2021-36203 | Server-Side Request Forgery (SSRF) vulnerability in Johnsoncontrols Metasys System Configuration Tool The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request. | 6.4 |