Lucene search

K
nvd[email protected]NVD:CVE-2023-2904
HistoryJun 07, 2023 - 10:15 p.m.

CVE-2023-2904

2023-06-0722:15:09
CWE-471
web.nvd.nist.gov
cve-2023-2904
api manipulation
user credential access
personal data access
denial of service

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

0.001 Low

EPSS

Percentile

28.8%

The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.

Affected configurations

NVD
Node
hidglobalsafeRange5.8.05.11.3

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

0.001 Low

EPSS

Percentile

28.8%

Related for NVD:CVE-2023-2904