Johnsoncontrols Security Vulnerabilities

CVE-2023-3548

An unauthorized user could gain account access to IQ Wifi 6 versions prior to 2.0.2 by conducting a brute force authentication attack.

CVE-2023-3749

A local user could edit the VideoEdge configuration file and interfere with VideoEdge operation.

CVE-2023-4486

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.

CVE-2023-4804

An unauthorized user could access debug features in Quantum HD Unity products that were accidentally exposed.

CVE-2024-0242

Under certain circumstances IQ Panel4 and IQ4 Hub panel software prior to version 4.4.2 could allow unauthorized access to settings.

CVE-2024-0912

Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior versions

CVE-2024-32758

Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange

CVE-2024-32862

Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.

CVE-2024-32863

Under certain circumstances the exacqVision Web Services may be susceptible to Cross-Site Request Forgery (CSRF)

CVE-2024-32864

Under certain circumstances exacqVision Web Services will not enforce secure web communications (HTTPS)

CVE-2024-32865

Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices.

CVE-2024-32931

Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.