Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Metasys_extended_application_and_data_server
(Johnsoncontrols)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 11 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-10-07 | CVE-2022-21936 | On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. | Metasys_extended_application_and_data_server, Metasys_for_validated_environments | 6.5 | ||
| 2023-01-13 | CVE-2021-36204 | Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 7.5 | ||
| 2022-07-22 | CVE-2021-36200 | Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 5.3 | ||
| 2022-06-15 | CVE-2022-21938 | Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 5.4 | ||
| 2022-06-15 | CVE-2022-21935 | A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 7.5 | ||
| 2022-06-15 | CVE-2022-21937 | Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 5.4 | ||
| 2022-05-06 | CVE-2022-21934 | Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 8.8 | ||
| 2022-04-29 | CVE-2021-36207 | Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 8.8 | ||
| 2022-04-15 | CVE-2021-36205 | Under certain circumstances the session token is not cleared on logout. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 9.8 | ||
| 2022-04-07 | CVE-2021-36202 | Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2. | Metasys_application_and_data_server, Metasys_extended_application_and_data_server, Metasys_open_application_server | 8.8 |