CVEDB API

Vulnerabilities

Vulnerable Software

Johnsoncontrols: Security Vulnerabilities

CVE-2021-36200

Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.

CVSS Score

5.3

EPSS Score

0.003

Published

2022-07-22

CVE-2022-21938

Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.

CVSS Score

8.1

EPSS Score

0.004

Published

2022-06-15

CVE-2022-21935

A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.

CVSS Score

7.5

EPSS Score

0.002

Published

2022-06-15

CVE-2022-21937

CVSS Score

8.7

EPSS Score

0.005

Published

2022-06-15

CVE-2022-21934

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.

CVSS Score

8.0

EPSS Score

0.003

Published

2022-05-06

CVE-2021-36207

Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.

CVSS Score

8.8

EPSS Score

0.002

Published

2022-04-29

CVE-2021-36203

The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request.

CVSS Score

5.3

EPSS Score

0.002

Published

2022-04-22

CVE-2021-36205

Under certain circumstances the session token is not cleared on logout.

CVSS Score

8.1

EPSS Score

0.003

Published

2022-04-15

CVE-2022-26643

An issue in EasyIO CPT Graphics v0.8 allows attackers to discover valid users in the application.

CVSS Score

5.3

EPSS Score

0.003

Published

2022-04-13

CVE-2021-36202

Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2.

CVSS Score

8.4

EPSS Score

0.002

Published

2022-04-07

Prev Next

Page 4

Vulnerabilities

Vulnerable Software

Johnsoncontrols: Security Vulnerabilities

Products

Pricing

Contact Us