CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21940 – Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in System Configuration Tool (SCT)
https://notcve.org/view.php?id=CVE-2022-21940
09 Feb 2023 — Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. • https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03 • CWE-311: Missing Encryption of Sensitive Data CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21939 – Sensitive cookie without 'HttpOnly' flag in System Configuration Tool (SCT)
https://notcve.org/view.php?id=CVE-2022-21939
09 Feb 2023 — Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie. • https://www.cisa.gov/uscert/ics/advisories/icsa-23-040-03 • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36204 – Insufficiently Protected Credentials in Metasys
https://notcve.org/view.php?id=CVE-2021-36204
13 Jan 2023 — Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. • https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06 • CWE-522: Insufficiently Protected Credentials •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21936 – Metasys MVE
https://notcve.org/view.php?id=CVE-2022-21936
07 Oct 2022 — On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. En Metasys ADX Server versión 12.0 ejecutando MVE, un usuario de Active Directory podía ejecutar acciones validadas sin proporcionar una contraseña válida cuando usaba MVE SMP UI • https://www.cisa.gov/uscert/ics/advisories/icsa-22-277-01 • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36200 – Metasys ADS/ADX/OAS with MUI
https://notcve.org/view.php?id=CVE-2021-36200
22 Jul 2022 — Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. Bajo determinadas circunstancias, un usuario no autenticado podría acceder a la API web para las versiones de Metasys ADS/ADX/OAS versiones 10 anteriores a 10.1.6 y 11 anteriores a 11.0.2 y enumerar usuarios • https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-02 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21938 – Metasys MUI Graphics XSS
https://notcve.org/view.php?id=CVE-2022-21938
15 Jun 2022 — Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. Bajo determinadas circunstancias, una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y en Metasys ADS/ADX/OAS 11 versiones anteriores a 11.0.2, podría permitir a un usuario inyectar código malicioso en la interfaz web de MUI Graphics • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21935 – Metasys password guessing
https://notcve.org/view.php?id=CVE-2022-21935
15 Jun 2022 — A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. Una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y en Metasys ADS/ADX/OAS 11 versiones anteriores a 11.0.2, permite un cambio de contraseña no verificado • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 8.7EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21937 – Metasys CSS
https://notcve.org/view.php?id=CVE-2022-21937
15 Jun 2022 — Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. Bajo determinadas circunstancias, una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y Metasys ADS/ADX/OAS 11versiones anteriores a 11.0.2 podría permitir a un usuario inyectar código malicioso en la interfaz web • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-21934 – Metasys Unverified Password Change
https://notcve.org/view.php?id=CVE-2022-21934
06 May 2022 — Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. En determinadas circunstancias, un usuario autenticado podría bloquear a otros usuarios del sistema o hacerse con sus cuentas en Metasys ADS/ADX/OAS server 10 versiones anteriores a la 10.1.5 y Metasys ADS/ADX/OAS server 11 anteriores a 11.0.2 • https://www.cisa.gov/uscert/ics/advisories/icsa-22-125-01 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36207 – Metasys privilege management
https://notcve.org/view.php?id=CVE-2021-36207
29 Apr 2022 — Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. Bajo determinadas circunstancias una administración de privilegios inapropiada en los servidores Metasys ADS/ADX/OAS versiones 10 y 11, podría permitir a un usuario autenticado elevar sus privilegios a administrador • https://www.cisa.gov/uscert/ics/advisories/icsa-22-118-01 • CWE-269: Improper Privilege Management •