Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Johnsoncontrols Subscribe
Filtered by product Metasys Extended Application And Data Server
Total 11 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-36204 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2023-01-23 N/A 7.5 HIGH
Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.
CVE-2022-21936 1 Johnsoncontrols 2 Metasys Extended Application And Data Server, Metasys For Validated Environments 2022-10-13 N/A 6.5 MEDIUM
On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI.
CVE-2021-36200 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2022-07-29 N/A 5.3 MEDIUM
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
CVE-2022-21938 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2022-06-24 3.5 LOW 5.4 MEDIUM
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
CVE-2022-21937 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2022-06-24 2.1 LOW 5.4 MEDIUM
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.
CVE-2022-21935 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2022-06-24 5.0 MEDIUM 7.5 HIGH
A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.
CVE-2022-21934 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2022-05-16 6.0 MEDIUM 8.8 HIGH
Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.
CVE-2021-36207 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2022-05-11 8.5 HIGH 8.8 HIGH
Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.
CVE-2021-36205 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2022-04-25 6.8 MEDIUM 9.8 CRITICAL
Under certain circumstances the session token is not cleared on logout.
CVE-2021-36202 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2022-04-14 6.5 MEDIUM 8.8 HIGH
Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2.
CVE-2020-9044 1 Johnsoncontrols 20 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Lonworks Control Server and 17 more 2020-03-11 6.4 MEDIUM 9.1 CRITICAL
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.