Vulnerabilities > Johnsoncontrols > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-07-22 CVE-2021-36200 Missing Authentication for Critical Function vulnerability in Johnsoncontrols products
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
network
low complexity
johnsoncontrols CWE-306
5.3
2022-06-15 CVE-2022-21938 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
network
low complexity
johnsoncontrols CWE-79
5.4
2022-06-15 CVE-2022-21937 Cross-site Scripting vulnerability in Johnsoncontrols products
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.
network
low complexity
johnsoncontrols CWE-79
5.4
2022-04-13 CVE-2022-26643 Unspecified vulnerability in Johnsoncontrols Easyio CPT Graphics 0.8
An issue in EasyIO CPT Graphics v0.8 allows attackers to discover valid users in the application.
network
low complexity
johnsoncontrols
5.3
2022-01-14 CVE-2021-36199 Unspecified vulnerability in Johnsoncontrols Videoedge 5.4.1/5.7.1
Running a vulnerability scanner against VideoEdge NVRs can cause some functionality to stop.
network
low complexity
johnsoncontrols
5.3
2021-06-24 CVE-2021-27658 Cross-site Scripting vulnerability in Johnsoncontrols Exacqvision Enterprise Manager 20.06.4.0/20.12
exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.
network
low complexity
johnsoncontrols CWE-79
5.4
2021-06-24 CVE-2021-27659 Cross-site Scripting vulnerability in Johnsoncontrols Exacqvision web Service 20.06.11.0/20.06.3.0/21.03
exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.
network
low complexity
johnsoncontrols CWE-79
6.1
2020-11-19 CVE-2020-9049 Improper Authentication vulnerability in Johnsoncontrols C-Cure web and Victor web
A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization.
high complexity
johnsoncontrols CWE-287
5.3
2020-05-21 CVE-2020-9045 Cleartext Storage of Sensitive Information vulnerability in multiple products
During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file.
network
low complexity
tyco johnsoncontrols CWE-312
6.5
2018-08-01 CVE-2018-10624 7PK - Errors vulnerability in Johnsoncontrols Bcpro and Metasys System
In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.
low complexity
johnsoncontrols CWE-388
6.5