CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36204 – Insufficiently Protected Credentials in Metasys
https://notcve.org/view.php?id=CVE-2021-36204
13 Jan 2023 — Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text. • https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-06 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36200 – Metasys ADS/ADX/OAS with MUI
https://notcve.org/view.php?id=CVE-2021-36200
22 Jul 2022 — Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. Bajo determinadas circunstancias, un usuario no autenticado podría acceder a la API web para las versiones de Metasys ADS/ADX/OAS versiones 10 anteriores a 10.1.6 y 11 anteriores a 11.0.2 y enumerar usuarios • https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-02 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21938 – Metasys MUI Graphics XSS
https://notcve.org/view.php?id=CVE-2022-21938
15 Jun 2022 — Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. Bajo determinadas circunstancias, una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y en Metasys ADS/ADX/OAS 11 versiones anteriores a 11.0.2, podría permitir a un usuario inyectar código malicioso en la interfaz web de MUI Graphics • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21935 – Metasys password guessing
https://notcve.org/view.php?id=CVE-2022-21935
15 Jun 2022 — A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. Una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y en Metasys ADS/ADX/OAS 11 versiones anteriores a 11.0.2, permite un cambio de contraseña no verificado • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 8.7EPSS: 0%CPEs: 9EXPL: 0CVE-2022-21937 – Metasys CSS
https://notcve.org/view.php?id=CVE-2022-21937
15 Jun 2022 — Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. Bajo determinadas circunstancias, una vulnerabilidad en Metasys ADS/ADX/OAS 10 versiones anteriores a 10.1.5 y Metasys ADS/ADX/OAS 11versiones anteriores a 11.0.2 podría permitir a un usuario inyectar código malicioso en la interfaz web • https://www.cisa.gov/uscert/ics/advisories/icsa-22-165-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-21934 – Metasys Unverified Password Change
https://notcve.org/view.php?id=CVE-2022-21934
06 May 2022 — Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. En determinadas circunstancias, un usuario autenticado podría bloquear a otros usuarios del sistema o hacerse con sus cuentas en Metasys ADS/ADX/OAS server 10 versiones anteriores a la 10.1.5 y Metasys ADS/ADX/OAS server 11 anteriores a 11.0.2 • https://www.cisa.gov/uscert/ics/advisories/icsa-22-125-01 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36207 – Metasys privilege management
https://notcve.org/view.php?id=CVE-2021-36207
29 Apr 2022 — Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. Bajo determinadas circunstancias una administración de privilegios inapropiada en los servidores Metasys ADS/ADX/OAS versiones 10 y 11, podría permitir a un usuario autenticado elevar sus privilegios a administrador • https://www.cisa.gov/uscert/ics/advisories/icsa-22-118-01 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36205 – Metasys session token
https://notcve.org/view.php?id=CVE-2021-36205
15 Apr 2022 — Under certain circumstances the session token is not cleared on logout. Bajo determinadas circunstancias el token de sesión no es borrado al cerrar la sesión • https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-02 • CWE-459: Incomplete Cleanup •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2021-36202 – Metasys UI
https://notcve.org/view.php?id=CVE-2021-36202
07 Apr 2022 — Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2. La vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Johnson Controls Metasys podría permitir a un atacante autenticado inyectar código malicioso en la función de exportación de PDF de MUI. Este prob... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-095-02 • CWE-918: Server-Side Request Forgery (SSRF) •