On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HJohnsoncontrols Metasys Extended Application And Data Server
APPJohnsoncontrols12.0Johnsoncontrols Metasys For Validated Environments
APPJohnsoncontrolswszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
Related vulnerabilities
CVE-2021-36204HIGH7.8ten sam produkt
Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS...
CVE-2022-21938HIGH8.1ten sam produkt
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys AD...
CVE-2022-21937HIGH8.7ten sam produkt
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys AD...
CVE-2022-21935HIGH7.5ten sam produkt
A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior t...
CVE-2022-21934HIGH8.0ten sam produkt
Under certain circumstances an authenticated user could lock other users out of the system or take over their ...