Vulnerabilities > Johnsoncontrols > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-01 | CVE-2024-32931 | Unspecified vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0/21.03 Under certain circumstances the exacqVision Web Service can expose authentication token details within communications. | 5.7 |
| 2024-06-06 | CVE-2024-0912 | Information Exposure Through Log Files vulnerability in Johnsoncontrols Software House C-Cure 9000 Siteserver 3.00.2 Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. | 4.2 |
| 2023-12-14 | CVE-2023-0248 | Memory Leak vulnerability in Johnsoncontrols Iosmart GEN 1 Firmware An attacker with physical access to the Kantech Gen1 ioSmart card reader with firmware version prior to 1.07.02 in certain circumstances can recover the reader's communication memory between the card and reader. | 5.3 |
| 2023-08-03 | CVE-2023-3749 | Insufficient Verification of Data Authenticity vulnerability in Johnsoncontrols Videoedge 5.4.1/5.7.1 A local user could edit the VideoEdge configuration file and interfere with VideoEdge operation. | 5.5 |
| 2023-05-18 | CVE-2023-2025 | Exposure of Resource to Wrong Sphere vulnerability in Johnsoncontrols Openblue Enterprise Manager Data Collector OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 may expose sensitive information to an unauthorized user under certain circumstances. | 6.5 |
| 2023-02-09 | CVE-2022-21939 | Incorrect Permission Assignment for Critical Resource vulnerability in Johnsoncontrols Metasys System Configuration Tool Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. | 6.1 |
| 2023-02-09 | CVE-2022-21940 | Missing Encryption of Sensitive Data vulnerability in Johnsoncontrols Metasys System Configuration Tool Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. | 6.1 |
| 2022-10-28 | CVE-2021-36206 | Cross-site Scripting vulnerability in Johnsoncontrols Cevas All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries. | 6.1 |
| 2022-10-11 | CVE-2021-36201 | Information Exposure Through Discrepancy vulnerability in Johnsoncontrols C-Cure 9000 Firmware 2.70/2.80/2.90 Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions. | 5.3 |
| 2022-10-07 | CVE-2022-21936 | Improper Authentication vulnerability in Johnsoncontrols Metasys Extended Application and Data Server 12.0 On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. | 6.5 |