Johnsoncontrols Metasys_open_application_server
10 CVEs affecting Johnsoncontrols Metasys_open_application_server. Latest disclosed: 2023-01-13. Critical: 0, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2021-36207 | High | 8.8 | 2022-04-29 | Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their… |
CVE-2022-21937 | High | 8.7 | 2022-06-15 | Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow… |
CVE-2021-36202 | High | 8.4 | 2022-04-07 | Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF ex… |
CVE-2022-21938 | High | 8.1 | 2022-06-15 | Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow… |
CVE-2021-36205 | High | 8.1 | 2022-04-15 | Under certain circumstances the session token is not cleared on logout. |
CVE-2022-21934 | High | 8.0 | 2022-05-06 | Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 version… |
CVE-2021-36204 | High | 7.8 | 2023-01-13 | Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versi… |
CVE-2022-21935 | High | 7.5 | 2022-06-15 | A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. |
CVE-2020-9044 | High | 7.5 | 2020-03-10 | XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. T… |
CVE-2021-36200 | Medium | 5.3 | 2022-07-22 | Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 1… |