VYPR

Metasys

by Johnson Controls

CVEs (10)

  • CVE-2018-10624MedAug 1, 2018
    risk 0.42cvss 6.5epss 0.01

    In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.

  • CVE-2023-4486Dec 7, 2023
    risk 0.00cvss epss 0.01

    Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause…

  • CVE-2021-36207Apr 29, 2022
    risk 0.00cvss epss 0.01

    Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.

  • CVE-2021-36205Apr 15, 2022
    risk 0.00cvss epss 0.01

    Under certain circumstances the session token is not cleared on logout.

  • CVE-2021-36202Apr 7, 2022
    risk 0.00cvss epss 0.01

    Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions…

  • CVE-2021-27657Jun 4, 2021
    risk 0.00cvss epss 0.01

    Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects:…

  • CVE-2019-7594Aug 20, 2019
    risk 0.00cvss epss 0.01

    Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).

  • CVE-2019-7593Aug 20, 2019
    risk 0.00cvss epss 0.01

    Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).

  • CVE-2014-5428Mar 29, 2015
    risk 0.00cvss epss 0.04

    Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE)…

  • CVE-2014-5427Mar 29, 2015
    risk 0.00cvss epss 0.01

    Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote…