A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Metasys_application_and_data_server | Johnsoncontrols | 10.0 (including) | 10.1.5 (including) |
| Metasys_application_and_data_server | Johnsoncontrols | 11.0 (including) | 11.0 (including) |
| Metasys_application_and_data_server | Johnsoncontrols | 11.0.1 (including) | 11.0.1 (including) |
| Metasys_extended_application_and_data_server | Johnsoncontrols | 10.0 (including) | 10.1.5 (including) |
| Metasys_extended_application_and_data_server | Johnsoncontrols | 11.0 (including) | 11.0 (including) |
| Metasys_extended_application_and_data_server | Johnsoncontrols | 11.0.1 (including) | 11.0.1 (including) |
| Metasys_open_application_server | Johnsoncontrols | 10.0 (including) | 10.1.5 (excluding) |
| Metasys_open_application_server | Johnsoncontrols | 11.0 (including) | 11.0 (including) |
| Metasys_open_application_server | Johnsoncontrols | 11.0.1 (including) | 11.0.1 (including) |