Johnsoncontrols Metasys Open Application Server — known CVE vulnerabilities
Every CVE whose affected-product data names Johnsoncontrols Metasys Open Application Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (10)
CVE-2021-36207 — CVSS 8.8 (high): Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated…
CVE-2022-21937 — CVSS 8.7 (high): Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior…
CVE-2021-36202 — CVSS 8.4 (high): Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code…
CVE-2022-21938 — CVSS 8.1 (high): Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior…
CVE-2022-21934 — CVSS 8.0 (high): Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys…
CVE-2021-36204 — CVSS 7.8 (high): Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to…
CVE-2022-21935 — CVSS 7.5 (high): A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified…
CVE-2020-9044 — CVSS 7.5 (high): XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of…
CVE-2021-36200 — CVSS 5.3 (medium): Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11…