CVE-2025-26385

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command Command Injection Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects Metasys: Application and Data Server ADS installed...

CVE-2025-26385

CVE-2025-26385 concerns Johnson Controls Metasys components vulnerable to an Improper Neutralization of Special Elements used in a Command (Command Injection) , with potential for remote SQL execution . Affected versions include Metasys ADS/ADX with SQL Express in 14.1 and earlier, LCS8500/NAE850...

CVE-2025-26385 Metasys product command injection vulnerability could allow remote SQL execution

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command Command Injection Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects Metasys: Application and Data Server ADS installed...

PT-2026-5389

Name of the Vulnerable Software and Affected Versions Johnson Controls Metasys versions 12.0 through 14.1 Johnson Controls Metasys Application and Data Server ADS versions 14.1 and prior Johnson Controls Metasys Extended Application and Data Server ADX version 14.1 Johnson Controls Metasys System...

EUVD-2022-27095

Malicious code in bioql PyPI...

EUVD-2022-27096

Malicious code in bioql PyPI...

CVE-2022-21939

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool SCT version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie...

CVE-2022-21939

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool SCT version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie...

CVE-2022-21940

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool SCT version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie...

CVE-2022-21940 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in System Configuration Tool (SCT)

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool SCT version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie...

CVE-2022-21940 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in System Configuration Tool (SCT)

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool SCT version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie...

CVE-2022-21940

Summary : CVE-2022-21940 affects Johnson Controls System Configuration Tool (SCT) versions 14 before 14.2.3 and 15 before 15.0.3. The issue is a sensitive cookie in HTTPS session without the Secure attribute , which could allow cookie exposure. Root cause : cookies accepted in HTTPS sessions with...

CVE-2022-21939 Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT)

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool SCT version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie...

CVE-2022-21939 Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT)

Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool SCT version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie...

CVE-2022-21939

CVE-2022-21939 affects Johnson Controls System Configuration Tool (SCT) versions 14 prior to 14.2.3 and 15 prior to 15.0.3. The vulnerability is a SENSITIVE COOKIE WITHOUT 'HttpOnly' FLAG, described as a cross-site scripting issue that could allow an attacker to access cookies and take control of...

PT-2023-12673 · Johnson Controls · Johnson Controls System Configuration Tool

Name of the Vulnerable Software and Affected Versions: Johnson Controls System Configuration Tool SCT versions 14 prior to 14.2.3 Johnson Controls System Configuration Tool SCT versions 15 prior to 15.0.3 Description: The issue allows access to a sensitive cookie due to the lack of the 'HttpOnly'...

Johnson Controls System Configuration Tool 跨站脚本漏洞

Johnson Controls System Configuration Tool is a controller configuration tool from Johnson Controls Johnson Controls. It is used as an interface to field device controller logic and provides intuitive screens for programming. A security vulnerability exists in Johnson Controls System Configuratio...

PT-2023-12674 · Johnson Controls · Johnson Controls System Configuration Tool

Name of the Vulnerable Software and Affected Versions: Johnson Controls System Configuration Tool SCT versions 14 prior to 14.2.3 Johnson Controls System Configuration Tool SCT versions 15 prior to 15.0.3 Description: The issue allows access to a sensitive cookie in an HTTPS session due to the la...

Johnson Controls System Configuration Tool 跨站脚本漏洞

Johnson Controls System Configuration Tool is a controller configuration tool from Johnson Controls Johnson Controls. It is used as an interface to field device controller logic and provides intuitive screens for programming. A security vulnerability exists in Johnson Controls System Configuratio...

Johnsoncontrols Metasys Improper Restriction of XML External Entity Reference

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server ADS, ADS-Lite versions 10.1 and prior; Metasys Extended Application and...