Search

Find a vulnerability

Search criteria

    18 vulnerabilities found for control_id_idsecure by assaabloy

    CVE-2025-49853 (GCVE-0-2025-49853)

    Vulnerability from nvd – Published: 2025-06-24 19:23 – Updated: 2025-06-27 17:13
    VLAI
    Title
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ControlID iDSecure On-premises
    Summary
    ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    ControlID iDSecure On-premises Affected: 0 , ≤ 4.7.48.0 (custom)
    Create a notification for this product.
    Date Public
    2025-06-24 19:13
    Credits
    Noam Moshe of Claroty Team82
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49853",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T19:43:10.981265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T19:43:34.168Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "iDSecure On-premises",
              "vendor": "ControlID",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.48.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noam Moshe of Claroty Team82"
            }
          ],
          "datePublic": "2025-06-24T19:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-27T17:13:55.451Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "government-resource"
              ],
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eControlID has released the following versions for users to update:\u003c/p\u003e\u003cul\u003e\u003cli\u003eiDSecure On-premises: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/access-control/idsecure/\"\u003eVersion 4.7.50.0\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/contact/\"\u003eControlID\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "ControlID has released the following versions for users to update:\n\n  *  iDSecure On-premises:  Version 4.7.50.0 https://www.controlid.com.br/en/access-control/idsecure/ \n\n\nFor more information, contact  ControlID https://www.controlid.com.br/en/contact/ ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in ControlID iDSecure On-premises",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2025-49853",
        "datePublished": "2025-06-24T19:23:19.181Z",
        "dateReserved": "2025-06-11T15:48:15.494Z",
        "dateUpdated": "2025-06-27T17:13:55.451Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49852 (GCVE-0-2025-49852)

    Vulnerability from nvd – Published: 2025-06-24 19:19 – Updated: 2025-06-27 17:14
    VLAI
    Title
    Server-Side Request Forgery (SSRF) in ControlID iDSecure On-premises
    Summary
    ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    ControlID iDSecure On-premises Affected: 0 , ≤ 4.7.48.0 (custom)
    Create a notification for this product.
    Date Public
    2025-06-24 19:13
    Credits
    Noam Moshe of Claroty Team82
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49852",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T19:33:33.826026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T19:33:53.676Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "iDSecure On-premises",
              "vendor": "ControlID",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.48.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noam Moshe of Claroty Team82"
            }
          ],
          "datePublic": "2025-06-24T19:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.\u003c/p\u003e"
                }
              ],
              "value": "ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-27T17:14:33.313Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "government-resource"
              ],
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eControlID has released the following versions for users to update:\u003c/p\u003e\u003cul\u003e\u003cli\u003eiDSecure On-premises: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/access-control/idsecure/\"\u003eVersion 4.7.50.0\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/contact/\"\u003eControlID\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "ControlID has released the following versions for users to update:\n\n  *  iDSecure On-premises:  Version 4.7.50.0 https://www.controlid.com.br/en/access-control/idsecure/ \n\n\nFor more information, contact  ControlID https://www.controlid.com.br/en/contact/ ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Server-Side Request Forgery (SSRF) in ControlID iDSecure On-premises",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2025-49852",
        "datePublished": "2025-06-24T19:19:42.160Z",
        "dateReserved": "2025-06-11T15:48:15.494Z",
        "dateUpdated": "2025-06-27T17:14:33.313Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49851 (GCVE-0-2025-49851)

    Vulnerability from nvd – Published: 2025-06-24 19:17 – Updated: 2025-06-27 17:12
    VLAI
    Title
    Improper Authentication in ControlID iDSecure On-premises
    Summary
    ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    ControlID iDSecure On-premises Affected: 0 , ≤ 4.7.48.0 (custom)
    Create a notification for this product.
    Date Public
    2025-06-24 19:13
    Credits
    Noam Moshe of Claroty Team82
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49851",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T19:36:09.883703Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T19:36:25.619Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "iDSecure On-premises",
              "vendor": "ControlID",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.48.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noam Moshe of Claroty Team82"
            }
          ],
          "datePublic": "2025-06-24T19:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-27T17:12:17.265Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "government-resource"
              ],
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eControlID has released the following versions for users to update:\u003c/p\u003e\u003cul\u003e\u003cli\u003eiDSecure On-premises: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/access-control/idsecure/\"\u003eVersion 4.7.50.0\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/contact/\"\u003eControlID\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "ControlID has released the following versions for users to update:\n\n  *  iDSecure On-premises:  Version 4.7.50.0 https://www.controlid.com.br/en/access-control/idsecure/ \n\n\nFor more information, contact  ControlID https://www.controlid.com.br/en/contact/ ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Authentication in ControlID iDSecure On-premises",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2025-49851",
        "datePublished": "2025-06-24T19:17:08.104Z",
        "dateReserved": "2025-06-11T15:48:15.494Z",
        "dateUpdated": "2025-06-27T17:12:17.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33367 (GCVE-0-2023-33367)

    Vulnerability from nvd – Published: 2023-08-05 00:00 – Updated: 2024-10-17 14:48
    VLAI
    Summary
    A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to write PHP files on the server's root directory, resulting in remote code execution.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.040Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33367"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33367",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T14:48:24.355779Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T14:48:32.915Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to write PHP files on the server\u0027s root directory, resulting in remote code execution."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-05T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33367"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33367",
        "datePublished": "2023-08-05T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T14:48:32.915Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33371 (GCVE-0-2023-33371)

    Vulnerability from nvd – Published: 2023-08-03 00:00 – Updated: 2024-10-17 16:46
    VLAI
    Summary
    Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.171Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33371"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33371",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T16:46:26.054576Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T16:46:34.211Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-03T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33371"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33371",
        "datePublished": "2023-08-03T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T16:46:34.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33370 (GCVE-0-2023-33370)

    Vulnerability from nvd – Published: 2023-08-03 00:00 – Updated: 2024-10-17 18:18
    VLAI
    Summary
    An uncaught exception vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to cause the main web server of IDSecure to fault and crash, causing a denial of service.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.084Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33370"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33370",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T18:17:51.303410Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T18:18:03.522Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An uncaught exception vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to cause the main web server of IDSecure to fault and crash, causing a denial of service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-03T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33370"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33370",
        "datePublished": "2023-08-03T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T18:18:03.522Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33369 (GCVE-0-2023-33369)

    Vulnerability from nvd – Published: 2023-08-03 00:00 – Updated: 2024-10-17 18:20
    VLAI
    Summary
    A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.256Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33369"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33369",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T18:20:23.475077Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T18:20:31.373Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-03T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33369"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33369",
        "datePublished": "2023-08-03T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T18:20:31.373Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33368 (GCVE-0-2023-33368)

    Vulnerability from nvd – Published: 2023-08-03 00:00 – Updated: 2024-10-17 18:21
    VLAI
    Summary
    Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to users accessing these API routes.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.199Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33368"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33368",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T18:21:13.667352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T18:21:24.849Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to users accessing these API routes."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-03T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33368"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33368",
        "datePublished": "2023-08-03T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T18:21:24.849Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2044 (GCVE-0-2023-2044)

    Vulnerability from nvd – Published: 2023-04-14 10:00 – Updated: 2024-08-02 06:12
    VLAI
    Title
    Control iD iDSecure Dispositivos Page cross site scripting
    Summary
    A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic. This vulnerability affects unknown code of the component Dispositivos Page. The manipulation of the argument IP-DNS leads to cross site scripting. The attack can be initiated remotely. VDB-225922 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
    CWE
    • CWE-79 - Cross Site Scripting
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.225922 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.225922 signature
    Impacted products
    Vendor Product Version
    Control iD iDSecure Affected: 4.7.29.1
    Create a notification for this product.
    Credits
    Stux (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:12:19.935Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.225922"
              },
              {
                "tags": [
                  "signature",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.225922"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Dispositivos Page"
              ],
              "product": "iDSecure",
              "vendor": "Control iD",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.7.29.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "analyst",
              "value": "Stux (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic. This vulnerability affects unknown code of the component Dispositivos Page. The manipulation of the argument IP-DNS leads to cross site scripting. The attack can be initiated remotely. VDB-225922 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In Control iD iDSecure 4.7.29.1 wurde eine problematische Schwachstelle gefunden. Betroffen ist eine unbekannte Verarbeitung der Komponente Dispositivos Page. Durch Manipulation des Arguments IP-DNS mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-22T09:51:19.858Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.225922"
            },
            {
              "tags": [
                "signature"
              ],
              "url": "https://vuldb.com/?ctiid.225922"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-04-14T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-04-14T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-04-14T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2023-04-30T16:31:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Control iD iDSecure Dispositivos Page cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2023-2044",
        "datePublished": "2023-04-14T10:00:05.920Z",
        "dateReserved": "2023-04-14T06:55:48.287Z",
        "dateUpdated": "2024-08-02T06:12:19.935Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49853 (GCVE-0-2025-49853)

    Vulnerability from cvelistv5 – Published: 2025-06-24 19:23 – Updated: 2025-06-27 17:13
    VLAI
    Title
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in ControlID iDSecure On-premises
    Summary
    ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    ControlID iDSecure On-premises Affected: 0 , ≤ 4.7.48.0 (custom)
    Create a notification for this product.
    Date Public
    2025-06-24 19:13
    Credits
    Noam Moshe of Claroty Team82
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49853",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T19:43:10.981265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T19:43:34.168Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "iDSecure On-premises",
              "vendor": "ControlID",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.48.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noam Moshe of Claroty Team82"
            }
          ],
          "datePublic": "2025-06-24T19:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-27T17:13:55.451Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "government-resource"
              ],
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eControlID has released the following versions for users to update:\u003c/p\u003e\u003cul\u003e\u003cli\u003eiDSecure On-premises: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/access-control/idsecure/\"\u003eVersion 4.7.50.0\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/contact/\"\u003eControlID\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "ControlID has released the following versions for users to update:\n\n  *  iDSecure On-premises:  Version 4.7.50.0 https://www.controlid.com.br/en/access-control/idsecure/ \n\n\nFor more information, contact  ControlID https://www.controlid.com.br/en/contact/ ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) in ControlID iDSecure On-premises",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2025-49853",
        "datePublished": "2025-06-24T19:23:19.181Z",
        "dateReserved": "2025-06-11T15:48:15.494Z",
        "dateUpdated": "2025-06-27T17:13:55.451Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49852 (GCVE-0-2025-49852)

    Vulnerability from cvelistv5 – Published: 2025-06-24 19:19 – Updated: 2025-06-27 17:14
    VLAI
    Title
    Server-Side Request Forgery (SSRF) in ControlID iDSecure On-premises
    Summary
    ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    ControlID iDSecure On-premises Affected: 0 , ≤ 4.7.48.0 (custom)
    Create a notification for this product.
    Date Public
    2025-06-24 19:13
    Credits
    Noam Moshe of Claroty Team82
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49852",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T19:33:33.826026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T19:33:53.676Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "iDSecure On-premises",
              "vendor": "ControlID",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.48.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noam Moshe of Claroty Team82"
            }
          ],
          "datePublic": "2025-06-24T19:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.\u003c/p\u003e"
                }
              ],
              "value": "ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-27T17:14:33.313Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "government-resource"
              ],
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eControlID has released the following versions for users to update:\u003c/p\u003e\u003cul\u003e\u003cli\u003eiDSecure On-premises: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/access-control/idsecure/\"\u003eVersion 4.7.50.0\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/contact/\"\u003eControlID\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "ControlID has released the following versions for users to update:\n\n  *  iDSecure On-premises:  Version 4.7.50.0 https://www.controlid.com.br/en/access-control/idsecure/ \n\n\nFor more information, contact  ControlID https://www.controlid.com.br/en/contact/ ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Server-Side Request Forgery (SSRF) in ControlID iDSecure On-premises",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2025-49852",
        "datePublished": "2025-06-24T19:19:42.160Z",
        "dateReserved": "2025-06-11T15:48:15.494Z",
        "dateUpdated": "2025-06-27T17:14:33.313Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-49851 (GCVE-0-2025-49851)

    Vulnerability from cvelistv5 – Published: 2025-06-24 19:17 – Updated: 2025-06-27 17:12
    VLAI
    Title
    Improper Authentication in ControlID iDSecure On-premises
    Summary
    ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    ControlID iDSecure On-premises Affected: 0 , ≤ 4.7.48.0 (custom)
    Create a notification for this product.
    Date Public
    2025-06-24 19:13
    Credits
    Noam Moshe of Claroty Team82
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49851",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-24T19:36:09.883703Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-24T19:36:25.619Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "iDSecure On-premises",
              "vendor": "ControlID",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.48.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Noam Moshe of Claroty Team82"
            }
          ],
          "datePublic": "2025-06-24T19:13:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.\u003c/p\u003e\u003cbr\u003e"
                }
              ],
              "value": "ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-27T17:12:17.265Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "government-resource"
              ],
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eControlID has released the following versions for users to update:\u003c/p\u003e\u003cul\u003e\u003cli\u003eiDSecure On-premises: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/access-control/idsecure/\"\u003eVersion 4.7.50.0\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information, contact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.controlid.com.br/en/contact/\"\u003eControlID\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "ControlID has released the following versions for users to update:\n\n  *  iDSecure On-premises:  Version 4.7.50.0 https://www.controlid.com.br/en/access-control/idsecure/ \n\n\nFor more information, contact  ControlID https://www.controlid.com.br/en/contact/ ."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper Authentication in ControlID iDSecure On-premises",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2025-49851",
        "datePublished": "2025-06-24T19:17:08.104Z",
        "dateReserved": "2025-06-11T15:48:15.494Z",
        "dateUpdated": "2025-06-27T17:12:17.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33367 (GCVE-0-2023-33367)

    Vulnerability from cvelistv5 – Published: 2023-08-05 00:00 – Updated: 2024-10-17 14:48
    VLAI
    Summary
    A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to write PHP files on the server's root directory, resulting in remote code execution.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.040Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33367"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33367",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T14:48:24.355779Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T14:48:32.915Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to write PHP files on the server\u0027s root directory, resulting in remote code execution."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-05T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33367"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33367",
        "datePublished": "2023-08-05T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T14:48:32.915Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33369 (GCVE-0-2023-33369)

    Vulnerability from cvelistv5 – Published: 2023-08-03 00:00 – Updated: 2024-10-17 18:20
    VLAI
    Summary
    A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.256Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33369"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33369",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T18:20:23.475077Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T18:20:31.373Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-03T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33369"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33369",
        "datePublished": "2023-08-03T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T18:20:31.373Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33368 (GCVE-0-2023-33368)

    Vulnerability from cvelistv5 – Published: 2023-08-03 00:00 – Updated: 2024-10-17 18:21
    VLAI
    Summary
    Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to users accessing these API routes.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.199Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33368"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33368",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T18:21:13.667352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T18:21:24.849Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to users accessing these API routes."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-03T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33368"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33368",
        "datePublished": "2023-08-03T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T18:21:24.849Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33370 (GCVE-0-2023-33370)

    Vulnerability from cvelistv5 – Published: 2023-08-03 00:00 – Updated: 2024-10-17 18:18
    VLAI
    Summary
    An uncaught exception vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to cause the main web server of IDSecure to fault and crash, causing a denial of service.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.084Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33370"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33370",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T18:17:51.303410Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T18:18:03.522Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An uncaught exception vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to cause the main web server of IDSecure to fault and crash, causing a denial of service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-03T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33370"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33370",
        "datePublished": "2023-08-03T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T18:18:03.522Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33371 (GCVE-0-2023-33371)

    Vulnerability from cvelistv5 – Published: 2023-08-03 00:00 – Updated: 2024-10-17 16:46
    VLAI
    Summary
    Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:47:05.171Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.controlid.com.br/en/access-control/idsecure/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33371"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33371",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-17T16:46:26.054576Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T16:46:34.211Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-08-03T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.controlid.com.br/en/access-control/idsecure/"
            },
            {
              "url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-33371"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-33371",
        "datePublished": "2023-08-03T00:00:00.000Z",
        "dateReserved": "2023-05-22T00:00:00.000Z",
        "dateUpdated": "2024-10-17T16:46:34.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-2044 (GCVE-0-2023-2044)

    Vulnerability from cvelistv5 – Published: 2023-04-14 10:00 – Updated: 2024-08-02 06:12
    VLAI
    Title
    Control iD iDSecure Dispositivos Page cross site scripting
    Summary
    A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic. This vulnerability affects unknown code of the component Dispositivos Page. The manipulation of the argument IP-DNS leads to cross site scripting. The attack can be initiated remotely. VDB-225922 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
    CWE
    • CWE-79 - Cross Site Scripting
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.225922 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.225922 signature
    Impacted products
    Vendor Product Version
    Control iD iDSecure Affected: 4.7.29.1
    Create a notification for this product.
    Credits
    Stux (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:12:19.935Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.225922"
              },
              {
                "tags": [
                  "signature",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.225922"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Dispositivos Page"
              ],
              "product": "iDSecure",
              "vendor": "Control iD",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.7.29.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "analyst",
              "value": "Stux (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic. This vulnerability affects unknown code of the component Dispositivos Page. The manipulation of the argument IP-DNS leads to cross site scripting. The attack can be initiated remotely. VDB-225922 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In Control iD iDSecure 4.7.29.1 wurde eine problematische Schwachstelle gefunden. Betroffen ist eine unbekannte Verarbeitung der Komponente Dispositivos Page. Durch Manipulation des Arguments IP-DNS mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-22T09:51:19.858Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.225922"
            },
            {
              "tags": [
                "signature"
              ],
              "url": "https://vuldb.com/?ctiid.225922"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-04-14T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-04-14T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-04-14T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2023-04-30T16:31:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Control iD iDSecure Dispositivos Page cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2023-2044",
        "datePublished": "2023-04-14T10:00:05.920Z",
        "dateReserved": "2023-04-14T06:55:48.287Z",
        "dateUpdated": "2024-08-02T06:12:19.935Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }