CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36204 – Insufficiently Protected Credentials in Metasys
https://notcve.org/view.php?id=CVE-2021-36204
13 Jan 2023 — Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. • https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36200 – Metasys ADS/ADX/OAS with MUI
https://notcve.org/view.php?id=CVE-2021-36200
22 Jul 2022 — Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. Bajo determinadas circunstancias, un usuario no autenticado podría acceder a la API web para las versiones de Metasys ADS/ADX/OAS versiones 10 anteriores a 10.1.6 y 11 anteriores a 11.0.2 y enumerar usuarios • https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-02 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21938 – Metasys MUI Graphics XSS
https://notcve.org/view.php?id=CVE-2022-21938
15 Jun 2022 — Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. Bajo determinadas circunstancias, una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y en Metasys ADS/ADX/OAS 11 versiones anteriores a 11.0.2, podría permitir a un usuario inyectar código malicioso en la interfaz web de MUI Graphics • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21935 – Metasys password guessing
https://notcve.org/view.php?id=CVE-2022-21935
15 Jun 2022 — A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. Una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y en Metasys ADS/ADX/OAS 11 versiones anteriores a 11.0.2, permite un cambio de contraseña no verificado • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 8.7EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21937 – Metasys CSS
https://notcve.org/view.php?id=CVE-2022-21937
15 Jun 2022 — Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. Bajo determinadas circunstancias, una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y Metasys ADS/ADX/OAS 11versiones anteriores a 11.0.2 podría permitir a un usuario inyectar código malicioso en la interfaz web • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-21934 – Metasys Unverified Password Change
https://notcve.org/view.php?id=CVE-2022-21934
06 May 2022 — Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. En determinadas circunstancias, un usuario autenticado podría bloquear a otros usuarios del sistema o hacerse con sus cuentas en Metasys ADS/ADX/OAS server 10 versiones anteriores a la 10.1.5 y Metasys ADS/ADX/OAS server 11 anteriores a 11.0.2 • https://www.cisa.gov/uscert/ics/advisories/icsa-22-125-01 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36207 – Metasys privilege management
https://notcve.org/view.php?id=CVE-2021-36207
29 Apr 2022 — Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. Bajo determinadas circunstancias una administración de privilegios inapropiada en los servidores Metasys ADS/ADX/OAS versiones 10 y 11, podría permitir a un usuario autenticado elevar sus privilegios a administrador • https://www.cisa.gov/uscert/ics/advisories/icsa-22-118-01 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36205 – Metasys session token
https://notcve.org/view.php?id=CVE-2021-36205
15 Apr 2022 — Under certain circumstances the session token is not cleared on logout. Bajo determinadas circunstancias el token de sesión no es borrado al cerrar la sesión • https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-02 • CWE-459: Incomplete Cleanup •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36202 – Metasys UI
https://notcve.org/view.php?id=CVE-2021-36202
07 Apr 2022 — Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2. La vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Johnson Controls Metasys podría permitir a un atacante autenticado inyectar código malicioso en la función de exportación de PDF de MUI. Este prob... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-095-02 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.1EPSS: 0%CPEs: 35EXPL: 0CVE-2020-9044 – Metasys Improper Restriction of XML External Entity Reference
https://notcve.org/view.php?id=CVE-2020-9044
10 Mar 2020 — XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1,... • https://www.johnsoncontrols.com/cyber-solutions/security-advisories • CWE-611: Improper Restriction of XML External Entity Reference •