A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Metasys_application_and_data_server | Johnsoncontrols | 10.0 (including) | 10.1.5 (including) |
| Metasys_application_and_data_server | Johnsoncontrols | 11.0 (including) | 11.0 (including) |
| Metasys_application_and_data_server | Johnsoncontrols | 11.0.1 (including) | 11.0.1 (including) |
| Metasys_extended_application_and_data_server | Johnsoncontrols | 10.0 (including) | 10.1.5 (including) |
| Metasys_extended_application_and_data_server | Johnsoncontrols | 11.0 (including) | 11.0 (including) |
| Metasys_extended_application_and_data_server | Johnsoncontrols | 11.0.1 (including) | 11.0.1 (including) |
| Metasys_open_application_server | Johnsoncontrols | 10.0 (including) | 10.1.5 (excluding) |
| Metasys_open_application_server | Johnsoncontrols | 11.0 (including) | 11.0 (including) |
| Metasys_open_application_server | Johnsoncontrols | 11.0.1 (including) | 11.0.1 (including) |