Vulnerabilities > Johnsoncontrols > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-01 | CVE-2024-32758 | Inadequate Encryption Strength vulnerability in Johnsoncontrols Exacqvision Client and Exacqvision Server Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange | 7.5 |
| 2024-08-01 | CVE-2024-32862 | Incorrect Comparison vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0/21.03 Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. | 8.1 |
| 2024-08-01 | CVE-2024-32865 | Improper Certificate Validation vulnerability in Johnsoncontrols Exacqvision Server 21.06.11.0/9.6/9.8 Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices. | 7.3 |
| 2024-08-01 | CVE-2024-32863 | Cross-Site Request Forgery (CSRF) vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0/21.03 Under certain circumstances the exacqVision Web Services may be susceptible to Cross-Site Request Forgery (CSRF) | 8.8 |
| 2024-08-01 | CVE-2024-32864 | Cleartext Transmission of Sensitive Information vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0/21.03 Under certain circumstances exacqVision Web Services will not enforce secure web communications (HTTPS) | 8.1 |
| 2023-12-07 | CVE-2023-4486 | Allocation of Resources Without Limits or Throttling vulnerability in Johnsoncontrols products Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service. | 7.5 |
| 2023-05-18 | CVE-2023-2024 | Improper Authentication vulnerability in Johnsoncontrols Openblue Enterprise Manager Data Collector Improper authentication in OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 allow access to an unauthorized user under certain circumstances. | 7.5 |
| 2023-01-13 | CVE-2021-36204 | Insufficiently Protected Credentials vulnerability in Johnsoncontrols products Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. | 7.5 |
| 2022-06-15 | CVE-2022-21935 | Improper Authentication vulnerability in Johnsoncontrols products A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. | 7.5 |
| 2022-05-06 | CVE-2022-21934 | Improper Authentication vulnerability in Johnsoncontrols products Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. | 8.8 |