#VU76809 Modification of assumed-immutable data in SAFE - CVE-2023-2904

Cybersecurity Help s.r.o.

Published: 2023-06-02

Vulnerability identifier: #VU76809

Vulnerability risk: Medium

CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-2904

CWE-ID: CWE-471

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAFE
Other software / Other software solutions

Vendor: HID Global

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to application does not perform validation of the attacker-controlled data, assuming that data is valid and safe. A remote user can tamper with parameters, passed to the application, and change its workflow.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SAFE: 5.8.0 - 5.11.3

External links
https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-02
https://www.hidglobal.com/documents/safe-visitor-manager-portal

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Modification of assumed-immutable data in HID Global SAFE