hidglobal 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには パス処理の欠陥、バッファオーバーフロー, and vendor risk csrf があり、vendor surface production workloads and vendor surface software deployment の利用場面で アプリケーションクラッシュ、vendor impact memory corruption, and ファイル上書き などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2024-23806 | Sensitive data can be extracted from HID iCLASS SE reader configuration cards. This could include credential and device administrator keys. | [email protected] | 5.3 | 0.07% | 2024-02-07 | 2024-11-21 |
| CVE-2024-22388 | Certain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys. | [email protected] | 5.9 | 0.04% | 2024-02-06 | 2024-11-21 |
| CVE-2023-2904 | The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also | [email protected] | 7.3 | 0.14% | 2023-06-07 | 2025-01-06 |
| CVE-2022-31486 | An authenticated attacker can send a specially crafted route to the “edit_route.cgi” binary and have it execute shell commands. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.303 for the LP series and 1.297 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, modify onboard relays, change configurati | [email protected] | 8.8 | 0.98% | 2022-06-06 | 2024-11-21 |
| CVE-2022-31485 | An unauthenticated attacker can send a specially crafted packets to update the “notes” section of the home page of the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29. | [email protected] | 5.3 | 0.14% | 2022-06-06 | 2024-11-21 |
| CVE-2022-31484 | An unauthenticated attacker can send a specially crafted network packet to delete a user from the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29. The impact of this vulnerability is that an unauthenticated attacker could restrict access to the web interface to legitimate users and potentially requiring them to use the default user dip switch procedure to gain | [email protected] | 7.5 | 0.45% | 2022-06-06 | 2024-11-21 |
| CVE-2022-31483 | An authenticated attacker can upload a file with a filename including “..” and “/” to achieve the ability to upload the desired file anywhere on the filesystem. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.271. This allows a malicious actor to overwrite sensitive system files and install a startup service to gain remote access to the underlaying Linux operating system with ro | [email protected] | 9.1 | 0.62% | 2022-06-06 | 2024-11-21 |
| CVE-2022-31482 | An unauthenticated attacker can send a specially crafted unauthenticated HTTP request to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29. The overflowed data leads to segmentation fault and ultimately a denial-of-service condition, causing the device to reboot. The impact of this vulnerability is that an unauthenticated attacker could le | [email protected] | 7.5 | 0.51% | 2022-06-06 | 2024-11-21 |
| CVE-2022-31481 | An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The overflowed data can allow the attacker to manipulate the “normal” code execution to that of their choosing. An attacker with this level of access on the device can mon | [email protected] | 10.0 | 1.24% | 2022-06-06 | 2024-11-21 |
| CVE-2022-31480 | An unauthenticated attacker could arbitrarily upload firmware files to the target device, ultimately causing a Denial-of-Service (DoS). This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. The attacker needs to have a properly signed and encrypted binary, loading the firmware to the device ultimately triggers a reboot. | [email protected] | 7.5 | 0.37% | 2022-06-06 | 2024-11-21 |
| CVE-2022-31479 | An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.302 for the LP series and 1.296 for the EP series. An attacker with this level of access on the device can monitor all communications sent to and from this device, m | [email protected] | 9.6 | 9.07% | 2022-06-06 | 2024-11-21 |
| CVE-2020-36283 | HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to upload a configuration file to the device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. | [email protected] | 9.6 | 0.21% | 2021-03-24 | 2024-11-21 |
| CVE-2019-13603 | An issue was discovered in the HID Global DigitalPersona (formerly Crossmatch) U.are.U 4500 Fingerprint Reader Windows Biometric Framework driver 5.0.0.5. It has a statically coded initialization vector to encrypt a user's fingerprint image, resulting in weak encryption of that. This, in combination with retrieving an encrypted fingerprint image and encryption key (through another vulnerability), allows an attacker to obtain a user's fingerprint image. | [email protected] | 5.9 | 0.30% | 2019-07-16 | 2024-11-21 |
| CVE-2018-17492 | EasyLobby Solo contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application. | [email protected] | 8.4 | 0.06% | 2019-03-21 | 2024-11-21 |
| CVE-2018-17491 | EasyLobby Solo could allow a local attacker to gain elevated privileges on the system. By visiting the kiosk and typing "esc" to exit the program, an attacker could exploit this vulnerability to perform unauthorized actions on the computer. | [email protected] | 8.4 | 0.04% | 2019-03-21 | 2024-11-21 |
| CVE-2018-17490 | EasyLobby Solo is vulnerable to a denial of service. By visiting the kiosk and accessing the task manager, a local attacker could exploit this vulnerability to kill the process or launch new processes at will. | [email protected] | 7.7 | 0.05% | 2019-03-21 | 2024-11-21 |
| CVE-2018-17489 | EasyLobby Solo could allow a local attacker to obtain sensitive information, caused by the storing of the social security number in plaintext. By visiting the kiosk and viewing the Visitor table of the database, an attacker could exploit this vulnerability to view stored social security numbers. | [email protected] | 2.9 | 0.05% | 2019-03-21 | 2024-11-21 |