XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HJohnsoncontrols Metasys Application And Data Server
APPJohnsoncontrolsβ€ 10.1Johnsoncontrols Metasys Extended Application And Data Server
APPJohnsoncontrolsβ€ 10.1Johnsoncontrols Metasys Lonworks Control Server
APPJohnsoncontrolsβ€ 10.1Johnsoncontrols Metasys Open Application Server
APPJohnsoncontrols10.1Johnsoncontrols Metasys Open Data Server
APPJohnsoncontrolsβ€ 10.1Johnsoncontrols Metasys System Configuration Tool
APPJohnsoncontrolsβ€ 13.2Johnsoncontrols Nae55
HWJohnsoncontrolswszystkie wersjeJohnsoncontrols Nae55 Firmware
OSJohnsoncontrols8.19.0.19.0.29.0.39.0.59.0.6Johnsoncontrols Nae85
HWJohnsoncontrolswszystkie wersjeJohnsoncontrols Nae85 Firmware
OSJohnsoncontrolsβ€ 10.1Johnsoncontrols Nie55
HWJohnsoncontrolswszystkie wersjeJohnsoncontrols Nie55 Firmware
OSJohnsoncontrols9.0.19.0.29.0.39.0.59.0.6Johnsoncontrols Nie59
HWJohnsoncontrolswszystkie wersjeJohnsoncontrols Nie59 Firmware
OSJohnsoncontrols9.0.19.0.29.0.39.0.59.0.6Johnsoncontrols Nie85
HWJohnsoncontrolswszystkie wersjeJohnsoncontrols Nie85 Firmware
OSJohnsoncontrolsβ€ 10.1Johnsoncontrols Ord C100 13 Uuklc
HWJohnsoncontrolswszystkie wersjeJohnsoncontrols Ord C100 13 Uuklc Firmware
OSJohnsoncontrols8.1Johnsoncontrols Ul 864 Uukl
HWJohnsoncontrolswszystkie wersjeJohnsoncontrols Ul 864 Uukl Firmware
OSJohnsoncontrols8.1
Related vulnerabilities
Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson...
Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) ver...
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configur...
Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS...
On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions witho...