Metasys Extended Application And Data Server Security Vulnerabilities and Issues — Metasys Extended Application And Data Server CVE List

Lucene search

JohnsoncontrolsMetasys Extended Application And Data Server

11 matches found

CVE•added 2022/07/22 3:15 p.m.•1394 views

CVE-2021-36200

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.

5.3CVSS5.3AI score0.00286EPSS

CVE•added 2022/04/07 8:15 p.m.•87 views

CVE-2021-36202

Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0....

8.8CVSS8.6AI score0.0019EPSS

CVE•added 2022/06/15 8:15 p.m.•84 views

CVE-2022-21935

A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.

7.5CVSS7.7AI score0.00185EPSS

CVE•added 2022/04/29 5:15 p.m.•81 views

CVE-2021-36207

Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.

8.8CVSS8.7AI score0.00158EPSS

CVE•added 2022/04/15 5:15 p.m.•71 views

CVE-2021-36205

Under certain circumstances the session token is not cleared on logout.

9.8CVSS9.1AI score0.00275EPSS

CVE•added 2022/05/06 4:15 p.m.•69 views

CVE-2022-21934

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.

8.8CVSS8.2AI score0.0019EPSS

CVE•added 2022/06/15 8:15 p.m.•63 views

CVE-2022-21937

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.

8.7CVSS6.3AI score0.00541EPSS

CVE•added 2022/06/15 9:15 p.m.•60 views

CVE-2022-21938

8.1CVSS6.3AI score0.0035EPSS

CVE•added 2020/03/10 8:15 p.m.•59 views

CVE-2020-9044

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and ...

9.1CVSS8.4AI score0.00269EPSS

CVE•added 2022/10/07 6:15 p.m.•51 views

CVE-2022-21936

On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI.

8.1CVSS7AI score0.00131EPSS

CVE•added 2023/01/13 9:15 p.m.•38 views

CVE-2021-36204

Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.

7.8CVSS7.5AI score0.00171EPSS