CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36204 – Insufficiently Protected Credentials in Metasys
https://notcve.org/view.php?id=CVE-2021-36204
13 Jan 2023 — Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. • https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06 • CWE-522: Insufficiently Protected Credentials •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36206 – CEVAS
https://notcve.org/view.php?id=CVE-2021-36206
28 Oct 2022 — All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries. Todas las versiones de CEVAS anteriores a la 1.01.46 no validan suficientemente la entrada controlable por el usuario y podrían permitir que un usuario omita la autenticación y recupere datos con consultas SQL especialmente manipuladas. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-298-05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36201 – CCURE Observable Response Discrepancy
https://notcve.org/view.php?id=CVE-2021-36201
11 Oct 2022 — Under certain circumstances a CCURE Portal user could enumerate user accounts in CCURE 9000 version 2.90 and prior versions. Bajo ciertas circunstancias, un usuario de CCURE Portal podría enumerar cuentas de usuario en CCURE 9000 versión 2.90 y versiones anteriores • https://www.cisa.gov/uscert/ics/advisories/icsa-22-284-03 • CWE-203: Observable Discrepancy CWE-204: Observable Response Discrepancy •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21936 – Metasys MVE
https://notcve.org/view.php?id=CVE-2022-21936
07 Oct 2022 — On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. En Metasys ADX Server versión 12.0 ejecutando MVE, un usuario de Active Directory podía ejecutar acciones validadas sin proporcionar una contraseña válida cuando usaba MVE SMP UI • https://www.cisa.gov/uscert/ics/advisories/icsa-22-277-01 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21941 – iSTAR Ultra
https://notcve.org/view.php?id=CVE-2022-21941
31 Aug 2022 — All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system. Todas las versiones de iSTAR Ultra anteriores a la versión 6.8.9.CU01 son vulnerables a una inyección de comandos que podría permitir a un usuario no autentificado el acceso a la raíz del sistema • https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-11 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36200 – Metasys ADS/ADX/OAS with MUI
https://notcve.org/view.php?id=CVE-2021-36200
22 Jul 2022 — Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. Bajo determinadas circunstancias, un usuario no autenticado podría acceder a la API web para las versiones de Metasys ADS/ADX/OAS versiones 10 anteriores a 10.1.6 y 11 anteriores a 11.0.2 y enumerar usuarios • https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-02 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21938 – Metasys MUI Graphics XSS
https://notcve.org/view.php?id=CVE-2022-21938
15 Jun 2022 — Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. Bajo determinadas circunstancias, una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y en Metasys ADS/ADX/OAS 11 versiones anteriores a 11.0.2, podría permitir a un usuario inyectar código malicioso en la interfaz web de MUI Graphics • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21935 – Metasys password guessing
https://notcve.org/view.php?id=CVE-2022-21935
15 Jun 2022 — A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. Una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y en Metasys ADS/ADX/OAS 11 versiones anteriores a 11.0.2, permite un cambio de contraseña no verificado • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 8.7EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21937 – Metasys CSS
https://notcve.org/view.php?id=CVE-2022-21937
15 Jun 2022 — Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. Bajo determinadas circunstancias, una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y Metasys ADS/ADX/OAS 11versiones anteriores a 11.0.2 podría permitir a un usuario inyectar código malicioso en la interfaz web • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-21934 – Metasys Unverified Password Change
https://notcve.org/view.php?id=CVE-2022-21934
06 May 2022 — Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. En determinadas circunstancias, un usuario autenticado podría bloquear a otros usuarios del sistema o hacerse con sus cuentas en Metasys ADS/ADX/OAS server 10 versiones anteriores a la 10.1.5 y Metasys ADS/ADX/OAS server 11 anteriores a 11.0.2 • https://www.cisa.gov/uscert/ics/advisories/icsa-22-125-01 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •