Johnsoncontrols

Metasys Open Application Server

10 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2021-36204

  • EPSS 0.18%
  • Veröffentlicht 13.01.2023 21:15:15
  • Zuletzt bearbeitet 21.11.2024 06:13:18

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.

5.3

CVE-2021-36200

  • EPSS 0.28%
  • Veröffentlicht 22.07.2022 15:15:07
  • Zuletzt bearbeitet 21.11.2024 06:13:18

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.

5.4

CVE-2022-21938

  • EPSS 0.35%
  • Veröffentlicht 15.06.2022 21:15:09
  • Zuletzt bearbeitet 21.11.2024 06:45:44

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.

7.5

CVE-2022-21935

  • EPSS 0.25%
  • Veröffentlicht 15.06.2022 20:15:17
  • Zuletzt bearbeitet 21.11.2024 06:45:44

A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.

5.4

CVE-2022-21937

  • EPSS 0.54%
  • Veröffentlicht 15.06.2022 20:15:17
  • Zuletzt bearbeitet 21.11.2024 06:45:44

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.

8.8

CVE-2022-21934

  • EPSS 0.25%
  • Veröffentlicht 06.05.2022 16:15:14
  • Zuletzt bearbeitet 21.11.2024 06:45:44

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.

8.8

CVE-2021-36207

  • EPSS 0.16%
  • Veröffentlicht 29.04.2022 17:15:19
  • Zuletzt bearbeitet 21.11.2024 06:13:19

Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.

9.8

CVE-2021-36205

  • EPSS 0.28%
  • Veröffentlicht 15.04.2022 17:15:08
  • Zuletzt bearbeitet 21.11.2024 06:13:18

Under certain circumstances the session token is not cleared on logout.

8.8

CVE-2021-36202

  • EPSS 0.19%
  • Veröffentlicht 07.04.2022 20:15:09
  • Zuletzt bearbeitet 21.11.2024 06:13:18

Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior t...

9.1

CVE-2020-9044

  • EPSS 0.27%
  • Veröffentlicht 10.03.2020 20:15:22
  • Zuletzt bearbeitet 21.11.2024 05:39:53

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions ...