VYPR

System Configuration Tool (SCT)

by Johnson Controls

CVEs (4)

  • CVE-2025-26385CriJan 30, 2026
    risk 0.62cvss epss 0.01

    Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects  * Metasys:…

  • CVE-2022-21940HigFeb 9, 2023
    risk 0.49cvss 7.5epss 0.00

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

  • CVE-2022-21939HigFeb 9, 2023
    risk 0.49cvss 7.5epss 0.01

    Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.

  • CVE-2020-9044HigMar 10, 2020
    risk 0.49cvss 7.5epss 0.01

    XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys…