XXE in Johnson Controls Metasys Application And Data Server (Ads, Ads-lite)

CVE-2020-9044

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.013 (66.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2020-9044?
CVE-2020-9044 is a high-severity vulnerability in Johnson Controls Metasys Application And Data Server (Ads, Ads-lite), classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.5/10. Published 2020-03-10.
How severe is CVE-2020-9044?
High severity. CVSS v3 base score is 7.5 out of 10.