PT-2026-5389

Name of the Vulnerable Software and Affected Versions Johnson Controls Metasys versions 12.0 through 14.1 Johnson Controls Metasys Application and Data Server ADS versions 14.1 and prior Johnson Controls Metasys Extended Application and Data Server ADX version 14.1 Johnson Controls Metasys System...

CVE-2021-36204

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text...

CVE-2022-21935

A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change...

CVE-2021-36207

Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator...

CVE-2021-36202

Server-Side Request Forgery SSRF vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0....

Unspecified Vulnerability in Johnson Controls Metasys

Johnson Controls Metasys system is the United States Johnson Controls Johnson Controls company's set of building automation system. A security vulnerability exists in Johnson Controls Metasys version 11.0 and prior versions that can be exploited by an attacker to send specially crafted web messag...

CVE-2020-9044

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server ADS, ADS-Lite versions 10.1 and prior; Metasys Extended Application and...

CVE-2018-10624

In Johnson Controls Metasys System Versions 8.0 and prior and BCPro BCM all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information...

CVE-2018-10624

In Johnson Controls Metasys System Versions 8.0 and prior and BCPro BCM all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information...

CVE-2018-10624

CVE-2018-10624 affects Johnson Controls Metasys System (versions 8.0 and earlier) and BCPro (BCM) before 3.0.2. Root cause: improper error handling in HTTP-based communications that can expose technical information via error messages. Impact: information exposure about the server; CVSSv3 base sco...

PT-2018-10013 · Johnson Controls · Johnson Controls Metasys System +1

Name of the Vulnerable Software and Affected Versions: Johnson Controls Metasys System versions 8.0 and prior BCPro BCM versions prior to 3.0.2 Description: This issue results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain...