Filtered by vendor Johnsoncontrols
Subscribe
Total
62 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27659 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-11-21 | 4.3 MEDIUM | 5.3 MEDIUM |
| exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. | |||||
| CVE-2021-27658 | 1 Johnsoncontrols | 1 Exacqvision Enterprise Manager | 2024-11-21 | 3.5 LOW | 4.3 MEDIUM |
| exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users. | |||||
| CVE-2021-27657 | 1 Johnsoncontrols | 1 Metasys | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions. | |||||
| CVE-2021-27656 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system. | |||||
| CVE-2020-9050 | 1 Johnsoncontrols | 1 Metasys Reporting Engine | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Path Traversal vulnerability exists in Metasys Reporting Engine (MRE) Web Services which could allow a remote unauthenticated attacker to access and download arbitrary files from the system. | |||||
| CVE-2020-9049 | 1 Johnsoncontrols | 2 C-cure Web, Victor Web | 2024-11-21 | 5.7 MEDIUM | 7.1 HIGH |
| A vulnerability in specified versions of American Dynamics victor Web Client and Software House C•CURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack. | |||||
| CVE-2020-9048 | 2 Johnsoncontrols, Tyco | 2 Victor Web Client, C-cure Web Client | 2024-11-21 | 7.8 HIGH | 7.1 HIGH |
| A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack. | |||||
| CVE-2020-9047 | 1 Johnsoncontrols | 2 Exacqvision Enterprise Manager, Exacqvision Web Service | 2024-11-21 | 9.0 HIGH | 6.8 MEDIUM |
| A vulnerability exists that could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentially download and run a malicious executable that could allow OS command injection on the system. | |||||
| CVE-2020-9046 | 1 Johnsoncontrols | 1 Kantech Entrapass | 2024-11-21 | 7.2 HIGH | 8.8 HIGH |
| A vulnerability in all versions of Kantech EntraPass Editions could potentially allow an authorized low-privileged user to gain full system-level privileges by replacing critical files with specifically crafted files. | |||||
| CVE-2020-9045 | 2 Johnsoncontrols, Tyco | 2 C-cure 9000 Firmware, Victor Video Management System | 2024-11-21 | 4.0 MEDIUM | 9.9 CRITICAL |
| During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation. | |||||
| CVE-2020-9044 | 1 Johnsoncontrols | 20 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Lonworks Control Server and 17 more | 2024-11-21 | 6.4 MEDIUM | 7.5 HIGH |
| XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1. | |||||
| CVE-2019-7594 | 1 Johnsoncontrols | 1 Metasys System | 2024-11-21 | 6.4 MEDIUM | 6.8 MEDIUM |
| Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP). | |||||
| CVE-2019-7593 | 1 Johnsoncontrols | 1 Metasys System | 2024-11-21 | 6.4 MEDIUM | 6.8 MEDIUM |
| Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP). | |||||
| CVE-2019-7590 | 1 Johnsoncontrols | 1 Exacqvision Server | 2024-11-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| ExacqVision Server’s services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4. | |||||
| CVE-2019-7589 | 1 Johnsoncontrols | 1 Entrapass | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' Kantech EntraPass Corporate Edition versions 8.0 and prior; Kantech EntraPass Global Edition versions 8.0 and prior. | |||||
| CVE-2018-10624 | 1 Johnsoncontrols | 2 Bcpro, Metasys System | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
| In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information. | |||||
| CVE-2024-32864 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-08-09 | N/A | 6.4 MEDIUM |
| Under certain circumstances exacqVision Web Services will not enforce secure web communications (HTTPS) | |||||
| CVE-2024-32865 | 1 Johnsoncontrols | 1 Exacqvision Server | 2024-08-09 | N/A | 6.4 MEDIUM |
| Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices. | |||||
| CVE-2024-32758 | 1 Johnsoncontrols | 2 Exacqvision Client, Exacqvision Server | 2024-08-09 | N/A | 7.5 HIGH |
| Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange | |||||
| CVE-2024-32862 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2024-08-09 | N/A | 6.8 MEDIUM |
| Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains. | |||||