Filtered by vendor Johnsoncontrols
Subscribe
Total
57 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-21941 | 1 Johnsoncontrols | 2 Istar Ultra, Istar Ultra Firmware | 2024-02-04 | N/A | 9.8 CRITICAL |
All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system. | |||||
CVE-2021-36200 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-02-04 | N/A | 5.3 MEDIUM |
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. | |||||
CVE-2021-36206 | 1 Johnsoncontrols | 1 Cevas | 2024-02-04 | N/A | 6.1 MEDIUM |
All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries. | |||||
CVE-2022-21936 | 1 Johnsoncontrols | 2 Metasys Extended Application And Data Server, Metasys For Validated Environments | 2024-02-04 | N/A | 6.5 MEDIUM |
On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI. | |||||
CVE-2022-21935 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change. | |||||
CVE-2022-26643 | 1 Johnsoncontrols | 1 Easyio Cpt Graphics | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue in EasyIO CPT Graphics v0.8 allows attackers to discover valid users in the application. | |||||
CVE-2022-21938 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface. | |||||
CVE-2022-21937 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-02-04 | 2.1 LOW | 5.4 MEDIUM |
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface. | |||||
CVE-2021-36202 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2. | |||||
CVE-2021-36205 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-02-04 | 6.8 MEDIUM | 9.8 CRITICAL |
Under certain circumstances the session token is not cleared on logout. | |||||
CVE-2022-21934 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-02-04 | 6.0 MEDIUM | 8.8 HIGH |
Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. | |||||
CVE-2021-36207 | 1 Johnsoncontrols | 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server | 2024-02-04 | 8.5 HIGH | 8.8 HIGH |
Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator. | |||||
CVE-2021-36203 | 1 Johnsoncontrols | 1 Metasys System Configuration Tool | 2024-02-04 | 6.4 MEDIUM | 9.1 CRITICAL |
The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request. | |||||
CVE-2021-27662 | 1 Johnsoncontrols | 2 Kantech Kt-1 Door Controller, Kantech Kt-1 Door Controller Firmware | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
The KT-1 door controller is susceptible to replay or man-in-the-middle attacks where an attacker can record and replay TCP packets. This issue affects Johnson Controls KT-1 all versions up to and including 3.01 | |||||
CVE-2021-27664 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-02-04 | 6.8 MEDIUM | 9.8 CRITICAL |
Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server. | |||||
CVE-2021-36199 | 1 Johnsoncontrols | 1 Videoedge | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
Running a vulnerability scanner against VideoEdge NVRs can cause some functionality to stop. | |||||
CVE-2021-27665 | 1 Johnsoncontrols | 1 Exacqvision Server | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition. | |||||
CVE-2021-36198 | 1 Johnsoncontrols | 1 Kantech Entrapass | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Successful exploitation of this vulnerability could allow an unauthorized user to access sensitive data. | |||||
CVE-2021-27657 | 1 Johnsoncontrols | 1 Metasys | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions. | |||||
CVE-2021-27658 | 1 Johnsoncontrols | 1 Exacqvision Enterprise Manager | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. |