CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2021-27663 – CEM Systems AC2000
https://notcve.org/view.php?id=CVE-2021-27663
30 Aug 2021 — A vulnerability in versions 10.1 through 10.5 of Johnson Controls CEM Systems AC2000 allows a remote attacker to access to the system without adequate authorization. This issue affects: Johnson Controls CEM Systems AC2000 10.1; 10.2; 10.3; 10.4; 10.5. Una vulnerabilidad en versiones 10.1 hasta 10.5 de Johnson Controls CEM Systems AC2000, permite a un atacante remoto acceder al sistema sin la autorización adecuada. Este problema afecta a: Johnson Controls CEM Systems AC2000 versiones 10.1; 10.2; 10.3; 10.4; ... • https://us-cert.gov/ics/advisories/ICSA-21-238-01 • CWE-285: Improper Authorization •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27661 – Facility Explorer
https://notcve.org/view.php?id=CVE-2021-27661
01 Jul 2021 — Successful exploitation of this vulnerability could give an authenticated Facility Explorer SNC Series Supervisory Controller (F4-SNC) user an unintended level of access to the controller’s file system, allowing them to access or modify system files by sending specifically crafted web messages to the F4-SNC. Una explotación con éxito de esta vulnerabilidad podría dar a un usuario autenticado del Controlador de Supervisión de la Serie SNC de Facility Explorer (F4-SNC) un nivel de acceso no deseado al sistema... • https://us-cert.cisa.gov/ics/advisories/icsa-21-182-01 • CWE-269: Improper Privilege Management CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 13%CPEs: 2EXPL: 0CVE-2021-27660 – C-CURE 9000
https://notcve.org/view.php?id=CVE-2021-27660
01 Jul 2021 — An insecure client auto update feature in C-CURE 9000 can allow remote execution of lower privileged Windows programs. Una funcionalidad no segura de actualización automática de clientes en C-CURE 9000, puede permitir una ejecución remota de programas de Windows con menos privilegios • https://us-cert.cisa.gov/ics/advisories/icsa-21-182-02 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27659 – exacqVision Web Service CSS
https://notcve.org/view.php?id=CVE-2021-27659
24 Jun 2021 — exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. exacqVision Web Service versión 21.03 no combrueba, filtra, escapa y/o codifica suficientemente la entrada controlable por el usuario antes de colocarla en la salida que se utiliza como página web que es servida a otros usuarios • https://us-cert.cisa.gov/ics/advisories/icsa-21-180-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27658 – exacqVision Enterprise Manager CSS
https://notcve.org/view.php?id=CVE-2021-27658
24 Jun 2021 — exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. exacqVision Enterprise Manager versión 20.12 no combrueba, filtra, escapa y/o codifica suficientemente las entradas controlables por el usuario antes de colocarlas en la salida que se utiliza como página web que es servida a otros usuarios • https://us-cert.cisa.gov/ics/advisories/icsa-21-180-02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27657 – Metasys Improper Privilege Management
https://notcve.org/view.php?id=CVE-2021-27657
04 Jun 2021 — Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions. Una explotación con éxito de esta vulnerabilidad podría otorgar a un usuario autenticado de Metasys un nivel de acceso no intencionado al sistema de archivos del servidor, per... • https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27656 – exacqVision Web Services - Information Exposure
https://notcve.org/view.php?id=CVE-2021-27656
18 Mar 2021 — A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system. Una vulnerabilidad en el servicio web exacqVision versiones 20.12.2.0 y anteriores, podría permitir a un atacante no autenticado visualizar información a nivel del sistema sobre el servicio web exacqVision y el sistema operativo • https://us-cert.cisa.gov/ics/advisories/icsa-21-077-01 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-9050 – Metasys Reporting Engine (MRE) Web Services - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
https://notcve.org/view.php?id=CVE-2020-9050
19 Feb 2021 — Path Traversal vulnerability exists in Metasys Reporting Engine (MRE) Web Services which could allow a remote unauthenticated attacker to access and download arbitrary files from the system. Una vulnerabilidad Salto de Ruta se presenta en Metasys Reporting Engine (MRE) Web Services que podría permitir a un atacante remoto no autenticado acceder y descargar archivos arbitrarios del sistema • https://www.johnsoncontrols.com/cyber-solutions/security-advisories • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-9049 – victor Web Client and C•CURE Web Client JSON Web Token (JWT) Vulnerability
https://notcve.org/view.php?id=CVE-2020-9049
19 Nov 2020 — A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack. Una vulnerabilidad en versiones específicas de American Dynamics v... • https://us-cert.cisa.gov/ics/advisories/icsa-20-324-01 • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-9048 – victor Web Client - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2020-9048
08 Oct 2020 — A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack. Una vulnerabilidad en versiones específicas de American Dynamics victor Web Client y Software House CCURE Web Client podría permitir a un atacante remoto no autenticado en la red eliminar archivos arbitrarios en el sistema o i... • https://us-cert.cisa.gov/ics/advisories/icsa-20-282-01 • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •