Lucene search

[email protected]NVD:CVE-2023-28809

HistoryJun 15, 2023 - 7:15 p.m.

CVE-2023-28809

2023-06-1519:15:10

CWE-384

CWE-284

[email protected]

web.nvd.nist.gov

cve-2023-28809

vulnerability

session hijacking

access control product

user login

device permissions

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

57.7%

JSON

Some access control products are vulnerable to a session hijacking attack because the product does not update the session ID after a user successfully logs in. To exploit the vulnerability, attackers have to request the session ID at the same time as a valid user logs in, and gain device operation permissions by forging the IP and session ID of an authenticated user.

Affected configurations

NVD

Node

hikvisionds-k1t320efwxMatch-

AND

hikvisionds-k1t320efwx_firmwareMatch-

Node

hikvisionds-k1t320efxMatch-

AND

hikvisionds-k1t320efx_firmwareMatch-

Node

hikvisionds-k1t320ewxMatch-

AND

hikvisionds-k1t320ewx_firmwareMatch-

Node

hikvisionds-k1t320exMatch-

AND

hikvisionds-k1t320ex_firmwareMatch-

Node

hikvisionds-k1t320mfwxMatch-

AND

hikvisionds-k1t320mfwx_firmwareMatch-

Node

hikvisionds-k1t320mfxMatch-

AND

hikvisionds-k1t320mfx_firmwareMatch-

Node

hikvisionds-k1t320mwxMatch-

AND

hikvisionds-k1t320mwx_firmwareMatch-

Node

hikvisionds-k1t320mxMatch-

AND

hikvisionds-k1t320mx_firmwareMatch-

Node

hikvisionds-k1t341am_firmwareMatch-

AND

hikvisionds-k1t341amMatch-

Node

hikvisionds-k1t341amf_firmwareMatch-

AND

hikvisionds-k1t341amfMatch-

Node

hikvisionds-k1t341cm_firmwareMatch-

AND

hikvisionds-k1t341cmMatch-

Node

hikvisionds-k1t343ewx_firmwareMatch-

AND

hikvisionds-k1t343ewxMatch-

Node

hikvisionds-k1t343ex_firmwareMatch-

AND

hikvisionds-k1t343exMatch-

Node

hikvisionds-k1t343mwx_firmwareMatch-

AND

hikvisionds-k1t343mwxMatch-

Node

hikvisionds-k1t343mx_firmwareMatch-

AND

hikvisionds-k1t343mxMatch-

Node

hikvisionds-k1t671_firmwareMatch-

AND

hikvisionds-k1t671Match-

Node

hikvisionds-k1t671m_firmwareMatch-

AND

hikvisionds-k1t671mMatch-

Node

hikvisionds-k1t671mf_firmwareMatch-

AND

hikvisionds-k1t671mfMatch-

Node

hikvisionds-k1t671t_firmwareMatch-

AND

hikvisionds-k1t671tMatch-

Node

hikvisionds-k1t671tm_firmwareMatch-

AND

hikvisionds-k1t671tmMatch-

Node

hikvisionds-k1t671tm-3xf_firmwareMatch-

AND

hikvisionds-k1t671tm-3xfMatch-

Node

hikvisionds-k1t671tmfMatch-

AND

hikvisionds-k1t671tmf_firmwareMatch-

Node

hikvisionds-k1t671tmfw_firmwareMatch-

AND

hikvisionds-k1t671tmfwMatch-

Node

hikvisionds-k1t671tmw_firmwareMatch-

AND

hikvisionds-k1t671tmwMatch-

Node

hikvisionds-k1t804af_firmwareMatch-

AND

hikvisionds-k1t804afMatch-

Node

hikvisionds-k1t804amf_firmwareMatch-

AND

hikvisionds-k1t804amfMatch-

References

packetstormsecurity.com/files/174506/Hikvision-Access-Control-Session-Hijacking.html

www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-some-hikvision-access-control-intercom/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

57.7%

JSON

Related for NVD:CVE-2023-28809

cve1 prion1 cvelist1 ics1