| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Remote Code Execution i.e Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior. |
| Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise
This issue affects Frick Controls Quantum HD version 10.22 and prior. |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior. |
| Use of a weak pseudo-random number generator, which may allow an attacker to read or inject encrypted PowerG packets. |
| The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated
communications with ICU, which may allow an attacker to gain unauthorized access |
| Under certain circumstances the impacted Software House C•CURE 9000 installer will utilize unnecessarily wide permissions. |
| Under certain circumstances a successful exploitation could result in access to the device. |
| Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information. |
| Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects
* Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,
* Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,
* LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,
* System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,
* Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior. |
| OS Command Injection in iSTAR Ultra products web application allows an authenticated attacker to gain even more privileged access ('root' user) to the device firmware. |
| Successful exploitation of these vulnerabilities could allow an attacker to modify firmware and gain full access to the device. |
| Authentication issue that does not verify the source of a packet which could allow an attacker to create a denial-of-service condition or modify the configuration of the device. |
| Under certain circumstances a successful exploitation could result in access to the device. |
| Due to Nonce reuse, attackers can perform reply attack or decrypt captured packets. |
| Johnson Controls iSTAR Configuration Utility (ICU) has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility (ICU) version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the ICU tool. |
| iSTAR Ultra performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These firmware parts may contain malicious code. Tested up to firmware 6.9.2, later firmwares are also possibly affected. |
| Under certain circumstances, attacker can capture the network key, read or write encrypted packets on the PowerG network. |
| Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires. |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows OS Command Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior. |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Johnson Controls Frick Controls Quantum HD allows Code Injection. Insufficient validation of input in certain parameters may permit unexpected actions, which could impact the security of the device before authentication occurs.This issue affects Frick Controls Quantum HD version 10.22 and prior. |
