Vulnerabilities > Johnsoncontrols > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-01 | CVE-2024-32758 | Inadequate Encryption Strength vulnerability in Johnsoncontrols Exacqvision Client and Exacqvision Server Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange | 7.5 |
| 2024-08-01 | CVE-2024-32862 | Incorrect Comparison vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0/21.03 Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. | 8.1 |
| 2024-08-01 | CVE-2024-32865 | Improper Certificate Validation vulnerability in Johnsoncontrols Exacqvision Server 21.06.11.0/9.6/9.8 Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices. | 7.3 |
| 2024-08-01 | CVE-2024-32863 | Cross-Site Request Forgery (CSRF) vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0/21.03 Under certain circumstances the exacqVision Web Services may be susceptible to Cross-Site Request Forgery (CSRF) | 8.8 |
| 2024-08-01 | CVE-2024-32864 | Cleartext Transmission of Sensitive Information vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0/21.03 Under certain circumstances exacqVision Web Services will not enforce secure web communications (HTTPS) | 8.1 |
| 2023-12-07 | CVE-2023-4486 | Allocation of Resources Without Limits or Throttling vulnerability in Johnsoncontrols products Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service. | 7.5 |
| 2023-05-18 | CVE-2023-2024 | Improper Authentication vulnerability in Johnsoncontrols Openblue Enterprise Manager Data Collector Improper authentication in OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 allow access to an unauthorized user under certain circumstances. | 7.5 |
| 2023-01-13 | CVE-2021-36204 | Insufficiently Protected Credentials vulnerability in Johnsoncontrols products Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. | 7.5 |
| 2022-04-29 | CVE-2021-36207 | Improper Privilege Management vulnerability in Johnsoncontrols products Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. | 8.5 |
| 2020-10-08 | CVE-2020-9048 | Incorrect Permission Assignment for Critical Resource vulnerability in multiple products A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack. | 8.1 |