Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
johnsoncontrols metasys system vulnerabilities and exploits
(subscribe to this query)
3.3
CVSSv2
CVE-2018-10624
In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions before 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an malicious user to obtain technical information.
Johnsoncontrols Bcpro
Johnsoncontrols Metasys System
6.4
CVSSv2
CVE-2019-7593
Metasys® ADS/ADX servers and NAE/NIE/NCE engines before 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
Johnsoncontrols Metasys System
6.4
CVSSv2
CVE-2019-7594
Metasys® ADS/ADX servers and NAE/NIE/NCE engines before 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).
Johnsoncontrols Metasys System
6.4
CVSSv2
CVE-2021-36203
The affected product may allow an malicious user to identify and forge requests to internal systems by way of a specially crafted request.
Johnsoncontrols Metasys System Configuration Tool
NA
CVE-2022-21939
Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 before 14.2.3 and version 15 before 15.0.3 could allow access to the cookie.
Johnsoncontrols Metasys System Configuration Tool
NA
CVE-2022-21940
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 before 14.2.3 and version 15 before 15.0.3 could allow access to the cookie.
Johnsoncontrols Metasys System Configuration Tool
6.4
CVSSv2
CVE-2020-9044
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys E...
Johnsoncontrols Metasys Application And Data Server
Johnsoncontrols Metasys Extended Application And Data Server
Johnsoncontrols Metasys Lonworks Control Server
Johnsoncontrols Metasys Open Application Server 10.1
Johnsoncontrols Metasys Open Data Server
Johnsoncontrols Metasys System Configuration Tool
Johnsoncontrols Nae55 Firmware 9.0.1
Johnsoncontrols Nae55 Firmware 9.0.2
Johnsoncontrols Nae55 Firmware 9.0.3
Johnsoncontrols Nae55 Firmware 9.0.5
Johnsoncontrols Nae55 Firmware 9.0.6
Johnsoncontrols Nie55 Firmware 9.0.1
Johnsoncontrols Nie55 Firmware 9.0.2
Johnsoncontrols Nie55 Firmware 9.0.3
Johnsoncontrols Nie55 Firmware 9.0.5
Johnsoncontrols Nie55 Firmware 9.0.6
Johnsoncontrols Nie59 Firmware 9.0.1
Johnsoncontrols Nie59 Firmware 9.0.2
Johnsoncontrols Nie59 Firmware 9.0.3
Johnsoncontrols Nie59 Firmware 9.0.5
Johnsoncontrols Nie59 Firmware 9.0.6
Johnsoncontrols Nae85 Firmware
6
CVSSv2
CVE-2022-21934
Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions before 10.1.5 and Metasys ADS/ADX/OAS server 11 versions before 11.0.2.
Johnsoncontrols Metasys Open Application Server
Johnsoncontrols Metasys Extended Application And Data Server
Johnsoncontrols Metasys Application And Data Server
5
CVSSv2
CVE-2020-9050
Path Traversal vulnerability exists in Metasys Reporting Engine (MRE) Web Services which could allow a remote unauthenticated malicious user to access and download arbitrary files from the system.
Johnsoncontrols Metasys Reporting Engine 2.0
Johnsoncontrols Metasys Reporting Engine 2.1
6.5
CVSSv2
CVE-2021-27657
Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: J...
Johnsoncontrols Metasys
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-33572
CVE-2024-24919
CVE-2024-0230
CVE-2024-32714
HTML injection
local file inclusion
CVE-2024-31098
CVE-2024-31244
privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started