Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for sgima_lite_\&_lite\+_firmware by idemia

    CVE-2023-4667 (GCVE-0-2023-4667)

    Vulnerability from nvd – Published: 2023-11-28 08:09 – Updated: 2024-10-17 16:26
    VLAI
    Title
    Stored Cross Site Scripting in webserver administration
    Summary
    The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.  The root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware. This could lead to  unauthorized access and data leakage
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    IDEMIA SIGMA Lite & Lite + Affected: 0
    Create a notification for this product.
    IDEMIA SIGMA Wide Affected: 0
    Create a notification for this product.
    IDEMIA SIGMA Extreme Affected: 0
    Create a notification for this product.
    IDEMIA MorphoWave Compact/XP Affected: 0
    Create a notification for this product.
    IDEMIA VisionPass Affected: 0
    Create a notification for this product.
    IDEMIA MorphoWave SP Affected: 0
    Create a notification for this product.
    idemia visionpass Affected: 0
        cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:morphowave_xp:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:sigma_lite:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:sigma_lite\+:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-09-15 14:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.587Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.idemia.com/vulnerability-information"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:morphowave_xp:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:sigma_lite:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:sigma_lite\\+:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "visionpass",
                "vendor": "idemia",
                "versions": [
                  {
                    "status": "affected",
                    "version": "0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4667",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T17:15:13.540026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T16:26:43.231Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SIGMA Lite \u0026 Lite +",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "SIGMA Wide",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "SIGMA Extreme",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MorphoWave Compact/XP",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "VisionPass",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MorphoWave SP",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "datePublic": "2023-09-15T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eThis could lead to\u0026nbsp;\u0026nbsp;u\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003enauthorized access and data leakage\u003c/span\u003e\n\n\u003c/span\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "\nThe web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.\u00a0\n\n\n\nThe root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware.\n\nThis could lead to\u00a0\u00a0unauthorized access and data leakage\n\n\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-28T08:09:10.450Z",
            "orgId": "a87f365f-9d39-4848-9b3a-58c7cae69cab",
            "shortName": "IDEMIA"
          },
          "references": [
            {
              "url": "https://www.idemia.com/vulnerability-information"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored Cross Site Scripting in webserver administration",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a87f365f-9d39-4848-9b3a-58c7cae69cab",
        "assignerShortName": "IDEMIA",
        "cveId": "CVE-2023-4667",
        "datePublished": "2023-11-28T08:09:10.450Z",
        "dateReserved": "2023-08-31T12:56:20.703Z",
        "dateUpdated": "2024-10-17T16:26:43.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-4667 (GCVE-0-2023-4667)

    Vulnerability from cvelistv5 – Published: 2023-11-28 08:09 – Updated: 2024-10-17 16:26
    VLAI
    Title
    Stored Cross Site Scripting in webserver administration
    Summary
    The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.  The root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware. This could lead to  unauthorized access and data leakage
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    IDEMIA SIGMA Lite & Lite + Affected: 0
    Create a notification for this product.
    IDEMIA SIGMA Wide Affected: 0
    Create a notification for this product.
    IDEMIA SIGMA Extreme Affected: 0
    Create a notification for this product.
    IDEMIA MorphoWave Compact/XP Affected: 0
    Create a notification for this product.
    IDEMIA VisionPass Affected: 0
    Create a notification for this product.
    IDEMIA MorphoWave SP Affected: 0
    Create a notification for this product.
    idemia visionpass Affected: 0
        cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:morphowave_xp:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:sigma_lite:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:sigma_lite\+:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*
        cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2023-09-15 14:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:31:06.587Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.idemia.com/vulnerability-information"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:morphowave_xp:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:sigma_lite:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:sigma_lite\\+:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*",
                  "cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "affected",
                "product": "visionpass",
                "vendor": "idemia",
                "versions": [
                  {
                    "status": "affected",
                    "version": "0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-4667",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-15T17:15:13.540026Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-17T16:26:43.231Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SIGMA Lite \u0026 Lite +",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "SIGMA Wide",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "SIGMA Extreme",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MorphoWave Compact/XP",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "VisionPass",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "MorphoWave SP",
              "vendor": "IDEMIA",
              "versions": [
                {
                  "status": "affected",
                  "version": "0"
                }
              ]
            }
          ],
          "datePublic": "2023-09-15T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eThis could lead to\u0026nbsp;\u0026nbsp;u\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003enauthorized access and data leakage\u003c/span\u003e\n\n\u003c/span\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "\nThe web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.\u00a0\n\n\n\nThe root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware.\n\nThis could lead to\u00a0\u00a0unauthorized access and data leakage\n\n\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-28T08:09:10.450Z",
            "orgId": "a87f365f-9d39-4848-9b3a-58c7cae69cab",
            "shortName": "IDEMIA"
          },
          "references": [
            {
              "url": "https://www.idemia.com/vulnerability-information"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored Cross Site Scripting in webserver administration",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a87f365f-9d39-4848-9b3a-58c7cae69cab",
        "assignerShortName": "IDEMIA",
        "cveId": "CVE-2023-4667",
        "datePublished": "2023-11-28T08:09:10.450Z",
        "dateReserved": "2023-08-31T12:56:20.703Z",
        "dateUpdated": "2024-10-17T16:26:43.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }