Search criteria
10 vulnerabilities by SECOM
CVE-2024-10119 (GCVE-0-2024-10119)
Vulnerability from cvelistv5 – Published: 2024-10-18 04:09 – Updated: 2024-10-18 16:41
VLAI?
Title
SECOM WRTM326 - OS Command Injection
Summary
The wireless router WRTM326 from SECOM does not properly validate a specific parameter. An unauthenticated remote attacker could execute arbitrary system commands by sending crafted requests.
Severity ?
9.8 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-8156-81c9d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-8157-e0461-2.html | third-party-advisory |
Date Public ?
2024-10-18 04:08
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:secom:wrtm326_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "wrtm326_firmware",
"vendor": "secom",
"versions": [
{
"lessThan": "2.3.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T16:37:57.696430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T16:41:22.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WRTM326",
"vendor": "SECOM",
"versions": [
{
"lessThan": "2.3.20",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-10-18T04:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe wireless router WRTM326 from SECOM does not properly validate a specific parameter. An unauthenticated remote attacker could execute arbitrary system commands by sending crafted requests.\u003c/span\u003e"
}
],
"value": "The wireless router WRTM326 from SECOM does not properly validate a specific parameter. An unauthenticated remote attacker could execute arbitrary system commands by sending crafted requests."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T04:09:15.991Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8156-81c9d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8157-e0461-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate WRTM326 to version 2.3.20 or later.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Update WRTM326 to version 2.3.20 or later."
}
],
"source": {
"advisory": "TVN-202410017",
"discovery": "EXTERNAL"
},
"title": "SECOM WRTM326 - OS Command Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-10119",
"datePublished": "2024-10-18T04:09:15.991Z",
"dateReserved": "2024-10-18T02:54:43.842Z",
"dateUpdated": "2024-10-18T16:41:22.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10118 (GCVE-0-2024-10118)
Vulnerability from cvelistv5 – Published: 2024-10-18 04:03 – Updated: 2024-10-18 16:46 Unsupported When Assigned
VLAI?
Title
SECOM WRTR-304GN-304TW-UPSC - OS Command Injection
Summary
SECOM WRTR-304GN-304TW-UPSC does not properly filter user input in the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.
Severity ?
9.8 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-8154-69fa5-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-8155-c1ea6-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SECOM | WRTR-304GN-304TW-UPSC |
Affected:
0
|
Date Public ?
2024-10-18 03:51
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:secom:wrtr-304gn-304tw-upsc_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "wrtr-304gn-304tw-upsc_firmware",
"vendor": "secom",
"versions": [
{
"status": "affected",
"version": "v02"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-18T16:41:41.105343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T16:46:48.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WRTR-304GN-304TW-UPSC",
"vendor": "SECOM",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"datePublic": "2024-10-18T03:51:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSECOM WRTR-304GN-304TW-UPSC does not properly filter user input in the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.\u003c/span\u003e"
}
],
"value": "SECOM WRTR-304GN-304TW-UPSC does not properly filter user input in the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-18T04:03:58.106Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8154-69fa5-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8155-c1ea6-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe product is no longer in surport. Please retire affected device.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "The product is no longer in surport. Please retire affected device."
}
],
"source": {
"advisory": "TVN-202410016",
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "SECOM WRTR-304GN-304TW-UPSC - OS Command Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-10118",
"datePublished": "2024-10-18T04:03:58.106Z",
"dateReserved": "2024-10-18T02:54:42.209Z",
"dateUpdated": "2024-10-18T16:46:48.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7732 (GCVE-0-2024-7732)
Vulnerability from cvelistv5 – Published: 2024-08-14 06:55 – Updated: 2024-08-16 17:30
VLAI?
Title
SECOM Dr.ID Attendance system - Unrestricted File Upload
Summary
Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-8007-803d6-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-8008-32677-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SECOM | Dr.ID Attendance system |
Affected:
0 , < 3.6.3
(custom)
|
Date Public ?
2024-08-14 06:36
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:secom:dr.id_attendance_system:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dr.id_attendance_system",
"vendor": "secom",
"versions": [
{
"lessThan": "3.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-16T17:28:51.494658Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T17:30:08.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dr.ID Attendance system",
"vendor": "SECOM",
"versions": [
{
"lessThan": "3.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-08-14T06:36:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents."
}
],
"value": "Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T06:55:59.726Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8007-803d6-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8008-32677-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Dr.ID Access Control System to version 3.6.3 or later."
}
],
"value": "Update Dr.ID Access Control System to version 3.6.3 or later."
}
],
"source": {
"advisory": "TVN-202408006",
"discovery": "EXTERNAL"
},
"title": "SECOM Dr.ID Attendance system - Unrestricted File Upload",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-7732",
"datePublished": "2024-08-14T06:55:59.726Z",
"dateReserved": "2024-08-13T09:59:42.489Z",
"dateUpdated": "2024-08-16T17:30:08.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7731 (GCVE-0-2024-7731)
Vulnerability from cvelistv5 – Published: 2024-08-14 06:30 – Updated: 2024-08-14 13:23
VLAI?
Title
SECOM Dr.ID Access control system - SQL injection
Summary
Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-8005-c3c94-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-8006-036f5-2.html | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SECOM | Dr.ID Access control system |
Affected:
0 , < 3.6.3
(custom)
|
Date Public ?
2024-08-14 05:50
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:secom:dr.id_access_control:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "dr.id_access_control",
"vendor": "secom",
"versions": [
{
"lessThan": "3.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7731",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T13:22:17.990182Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T13:23:19.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dr.ID Access control system",
"vendor": "SECOM",
"versions": [
{
"lessThan": "3.6.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-08-14T05:50:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.\u003c/span\u003e"
}
],
"value": "Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T06:30:58.938Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-8005-c3c94-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-8006-036f5-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update Dr.ID Access Control System to version 3.6.3 or later."
}
],
"value": "Update Dr.ID Access Control System to version 3.6.3 or later."
}
],
"source": {
"advisory": "TVN-202408005",
"discovery": "EXTERNAL"
},
"title": "SECOM Dr.ID Access control system - SQL injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2024-7731",
"datePublished": "2024-08-14T06:30:58.938Z",
"dateReserved": "2024-08-13T09:59:40.403Z",
"dateUpdated": "2024-08-14T13:23:19.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26671 (GCVE-0-2022-26671)
Vulnerability from cvelistv5 – Published: 2022-04-07 18:22 – Updated: 2024-09-17 00:31
VLAI?
Title
TAIWAN SECOM CO., LTD., a xDoor Access Control and Personnel Attendance Management system - Hard-coded Credentials
Summary
Taiwan Secom Dr.ID Access Control system’s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service.
Severity ?
7.3 (High)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-5971-b691f-1.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TAIWAN SECOM CO., LTD., | Personnel Attendance Management system |
Affected:
3.4.0.0.3.11
|
Date Public ?
2022-03-31 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-5971-b691f-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Personnel Attendance Management system",
"vendor": "TAIWAN SECOM CO., LTD.,",
"versions": [
{
"status": "affected",
"version": "3.4.0.0.3.11"
}
]
}
],
"datePublic": "2022-03-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Taiwan Secom Dr.ID Access Control system\u2019s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-07T18:22:40.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-5971-b691f-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Personnel Attendance system to v3.4.0.0.3.13_20211214"
}
],
"source": {
"advisory": "TVN-202203004",
"discovery": "EXTERNAL"
},
"title": "TAIWAN SECOM CO., LTD., a xDoor Access Control and Personnel Attendance Management system - Hard-coded Credentials",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2022-03-31T02:30:00.000Z",
"ID": "CVE-2022-26671",
"STATE": "PUBLIC",
"TITLE": "TAIWAN SECOM CO., LTD., a xDoor Access Control and Personnel Attendance Management system - Hard-coded Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Personnel Attendance Management system",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "3.4.0.0.3.11"
}
]
}
}
]
},
"vendor_name": "TAIWAN SECOM CO., LTD.,"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Taiwan Secom Dr.ID Access Control system\u2019s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-5971-b691f-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-5971-b691f-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Personnel Attendance system to v3.4.0.0.3.13_20211214"
}
],
"source": {
"advisory": "TVN-202203004",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2022-26671",
"datePublished": "2022-04-07T18:22:40.988Z",
"dateReserved": "2022-03-08T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:31:07.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35962 (GCVE-0-2021-35962)
Vulnerability from cvelistv5 – Published: 2021-07-16 15:20 – Updated: 2024-09-16 17:44
VLAI?
Title
TAIWAN SECOM CO., LTD., Door Access Control and Personnel Attendance Management system - Path Traversal
Summary
Specific page parameters in Dr. ID Door Access Control and Personnel Attendance Management system does not filter special characters. Remote attackers can apply Path Traversal means to download credential files from the system without permission.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-4906-89381-1.html | x_refsource_MISC |
| https://www.chtsecurity.com/news/d7ec2db9-12dd-43… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| TAIWAN SECOM CO., LTD., | Door Access Control and Personnel Attendance Management system |
Affected:
unspecified , ≤ 3.3.2
(custom)
|
|
| TAIWAN SECOM CO., LTD., | Door Access Control and Personnel Attendance Management system |
Affected:
unspecified , ≤ 3.4.0.0.3.12_20210525
(custom)
|
Date Public ?
2021-07-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4906-89381-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/d7ec2db9-12dd-439f-b014-b956ce231054"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Door Access Control"
],
"product": "Door Access Control and Personnel Attendance Management system",
"vendor": "TAIWAN SECOM CO., LTD.,",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"platforms": [
"Personnel Attendance system"
],
"product": "Door Access Control and Personnel Attendance Management system",
"vendor": "TAIWAN SECOM CO., LTD.,",
"versions": [
{
"lessThanOrEqual": "3.4.0.0.3.12_20210525",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Specific page parameters in Dr. ID Door Access Control and Personnel Attendance Management system does not filter special characters. Remote attackers can apply Path Traversal means to download credential files from the system without permission."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-16T15:20:35.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4906-89381-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/d7ec2db9-12dd-439f-b014-b956ce231054"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to:\nPersonnel Attendance system ver. 3.4.0.0.3.12_20210525"
}
],
"source": {
"advisory": "TVN-202107003",
"discovery": "EXTERNAL"
},
"title": "TAIWAN SECOM CO., LTD., Door Access Control and Personnel Attendance Management system - Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-07-15T11:19:00.000Z",
"ID": "CVE-2021-35962",
"STATE": "PUBLIC",
"TITLE": "TAIWAN SECOM CO., LTD., Door Access Control and Personnel Attendance Management system - Path Traversal"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Door Access Control and Personnel Attendance Management system",
"version": {
"version_data": [
{
"platform": "Door Access Control",
"version_affected": "\u003c=",
"version_value": "3.3.2"
},
{
"platform": "Personnel Attendance system",
"version_affected": "\u003c=",
"version_value": "3.4.0.0.3.12_20210525"
}
]
}
}
]
},
"vendor_name": "TAIWAN SECOM CO., LTD.,"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Specific page parameters in Dr. ID Door Access Control and Personnel Attendance Management system does not filter special characters. Remote attackers can apply Path Traversal means to download credential files from the system without permission."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4906-89381-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4906-89381-1.html"
},
{
"name": "https://www.chtsecurity.com/news/d7ec2db9-12dd-439f-b014-b956ce231054",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/d7ec2db9-12dd-439f-b014-b956ce231054"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to:\nPersonnel Attendance system ver. 3.4.0.0.3.12_20210525"
}
],
"source": {
"advisory": "TVN-202107003",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-35962",
"datePublished": "2021-07-16T15:20:35.841Z",
"dateReserved": "2021-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:44:17.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35961 (GCVE-0-2021-35961)
Vulnerability from cvelistv5 – Published: 2021-07-16 15:20 – Updated: 2024-09-17 01:16
VLAI?
Title
TAIWAN SECOM CO., LTD., Door Access Control and Personnel Attendance Management system - Use of Hard-coded Credentials
Summary
Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission.
Severity ?
9.8 (Critical)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-4905-c99ac-1.html | x_refsource_MISC |
| https://www.chtsecurity.com/news/2e4e69d5-2e32-4f… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TAIWAN SECOM CO., LTD., | Door Access Control and Personnel Attendance Management system |
Affected:
unspecified , ≤ 3.4.0.0.3.12_20210525
(custom)
|
Date Public ?
2021-07-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:42.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4905-c99ac-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/2e4e69d5-2e32-4f73-ac7e-a66432e020e4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Personnel Attendance system"
],
"product": "Door Access Control and Personnel Attendance Management system",
"vendor": "TAIWAN SECOM CO., LTD.,",
"versions": [
{
"lessThanOrEqual": "3.4.0.0.3.12_20210525",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-16T15:20:34.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4905-c99ac-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/2e4e69d5-2e32-4f73-ac7e-a66432e020e4"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to:\nPersonnel Attendance system ver. 3.4.0.0.3.12_20210525"
}
],
"source": {
"advisory": "TVN-202107002",
"discovery": "EXTERNAL"
},
"title": "TAIWAN SECOM CO., LTD., Door Access Control and Personnel Attendance Management system - Use of Hard-coded Credentials",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-07-15T11:19:00.000Z",
"ID": "CVE-2021-35961",
"STATE": "PUBLIC",
"TITLE": "TAIWAN SECOM CO., LTD., Door Access Control and Personnel Attendance Management system - Use of Hard-coded Credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Door Access Control and Personnel Attendance Management system",
"version": {
"version_data": [
{
"platform": "Personnel Attendance system",
"version_affected": "\u003c=",
"version_value": "3.4.0.0.3.12_20210525"
}
]
}
}
]
},
"vendor_name": "TAIWAN SECOM CO., LTD.,"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-798 Use of Hard-coded Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4905-c99ac-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4905-c99ac-1.html"
},
{
"name": "https://www.chtsecurity.com/news/2e4e69d5-2e32-4f73-ac7e-a66432e020e4",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/2e4e69d5-2e32-4f73-ac7e-a66432e020e4"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to:\nPersonnel Attendance system ver. 3.4.0.0.3.12_20210525"
}
],
"source": {
"advisory": "TVN-202107002",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-35961",
"datePublished": "2021-07-16T15:20:34.752Z",
"dateReserved": "2021-06-30T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:16:12.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-3935 (GCVE-0-2020-3935)
Vulnerability from cvelistv5 – Published: 2020-02-11 08:00 – Updated: 2024-09-16 22:19
VLAI?
Title
TAIWAN SECOM CO., LTD. – Sensitivity Information Exposure
Summary
TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, stores users’ information by cleartext in the cookie, which divulges password to attackers.
Severity ?
7.5 (High)
CWE
- Sensitivity Information Exposure
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.chtsecurity.com/news/1bb85fcd-9048-45… | x_refsource_MISC |
| https://gist.github.com/chtsecurity/4db471b34c395… | x_refsource_MISC |
| https://www.twcert.org.tw/en/cp-139-3319-d7b65-2.html | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| TAIWAN SECOM CO., LTD. | Door Access Control system |
Affected:
0 , ≤ 3.3.2
(custom)
|
|
| TAIWAN SECOM CO., LTD. | Personnel Attendance system |
Affected:
0 , ≤ 3.3.0.3_20160517
(custom)
|
Date Public ?
2020-02-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/en/cp-139-3319-d7b65-2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Door Access Control system",
"vendor": "TAIWAN SECOM CO., LTD.",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Personnel Attendance system",
"vendor": "TAIWAN SECOM CO., LTD.",
"versions": [
{
"lessThanOrEqual": "3.3.0.3_20160517",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, stores users\u2019 information by cleartext in the cookie, which divulges password to attackers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Sensitivity Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T12:12:47.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/en/cp-139-3319-d7b65-2.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to:\nDoor Access Control system ver. 3.5.4\nPersonnel Attendance system prior to ver. 3.4.0.0.3.05_20191112"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TAIWAN SECOM CO., LTD. \u2013 Sensitivity Information Exposure",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-02-11T03:59:00.000Z",
"ID": "CVE-2020-3935",
"STATE": "PUBLIC",
"TITLE": "TAIWAN SECOM CO., LTD. \u2013 Sensitivity Information Exposure"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Door Access Control system",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "3.3.2"
}
]
}
},
{
"product_name": "Personnel Attendance system",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "3.3.0.3_20160517"
}
]
}
}
]
},
"vendor_name": "TAIWAN SECOM CO., LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, stores users\u2019 information by cleartext in the cookie, which divulges password to attackers."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Sensitivity Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"name": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b",
"refsource": "MISC",
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
},
{
"name": "https://www.twcert.org.tw/en/cp-139-3319-d7b65-2.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/en/cp-139-3319-d7b65-2.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to:\nDoor Access Control system ver. 3.5.4\nPersonnel Attendance system prior to ver. 3.4.0.0.3.05_20191112"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-3935",
"datePublished": "2020-02-11T08:00:30.076Z",
"dateReserved": "2019-12-20T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:19:57.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-3934 (GCVE-0-2020-3934)
Vulnerability from cvelistv5 – Published: 2020-02-11 08:00 – Updated: 2024-09-17 01:45
VLAI?
Title
TAIWAN SECOM CO., LTD. - Pre-auth SQL Injection
Summary
TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command.
Severity ?
9.8 (Critical)
CWE
- Pre-auth SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.chtsecurity.com/news/1bb85fcd-9048-45… | x_refsource_MISC |
| https://gist.github.com/chtsecurity/4db471b34c395… | x_refsource_MISC |
| https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| TAIWAN SECOM CO., LTD. | Door Access Control system |
Affected:
0 , ≤ 3.3.2
(custom)
|
|
| TAIWAN SECOM CO., LTD. | Personnel Attendance system |
Affected:
0 , ≤ 3.3.0.3_20160517
(custom)
|
Date Public ?
2020-02-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:20.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Door Access Control system",
"vendor": "TAIWAN SECOM CO., LTD.",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Personnel Attendance system",
"vendor": "TAIWAN SECOM CO., LTD.",
"versions": [
{
"lessThanOrEqual": "3.3.0.3_20160517",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Pre-auth SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T12:12:47.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to:\nDoor Access Control system ver. 3.5.4\nPersonnel Attendance system prior to ver. 3.4.0.0.3.05_20191112"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TAIWAN SECOM CO., LTD. - Pre-auth SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-02-11T03:59:00.000Z",
"ID": "CVE-2020-3934",
"STATE": "PUBLIC",
"TITLE": "TAIWAN SECOM CO., LTD. - Pre-auth SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Door Access Control system",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "3.3.2"
}
]
}
},
{
"product_name": "Personnel Attendance system",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "3.3.0.3_20160517"
}
]
}
}
]
},
"vendor_name": "TAIWAN SECOM CO., LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Pre-auth SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"name": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b",
"refsource": "MISC",
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
},
{
"name": "https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/en/cp-139-3318-89f76-2.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to:\nDoor Access Control system ver. 3.5.4\nPersonnel Attendance system prior to ver. 3.4.0.0.3.05_20191112"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-3934",
"datePublished": "2020-02-11T08:00:29.639Z",
"dateReserved": "2019-12-20T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:45:45.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-3933 (GCVE-0-2020-3933)
Vulnerability from cvelistv5 – Published: 2020-02-11 08:00 – Updated: 2024-09-17 03:23
VLAI?
Title
TAIWAN SECOM CO., LTD. - User Account Enumeration
Summary
TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, allows attackers to enumerate and exam user account in the system.
Severity ?
5.3 (Medium)
CWE
- User Account Enumeration
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/en/cp-139-3317-d4edc-2.html | x_refsource_MISC |
| https://www.chtsecurity.com/news/1bb85fcd-9048-45… | x_refsource_MISC |
| https://gist.github.com/chtsecurity/4db471b34c395… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| TAIWAN SECOM CO., LTD. | Door Access Control system |
Affected:
0 , ≤ 3.3.2
(custom)
|
|
| TAIWAN SECOM CO., LTD. | Personnel Attendance system |
Affected:
0 , ≤ 3.3.0.3_20160517
(custom)
|
Date Public ?
2020-02-11 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:52:19.803Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/en/cp-139-3317-d4edc-2.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Door Access Control system",
"vendor": "TAIWAN SECOM CO., LTD.",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"product": "Personnel Attendance system",
"vendor": "TAIWAN SECOM CO., LTD.",
"versions": [
{
"lessThanOrEqual": "3.3.0.3_20160517",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, allows attackers to enumerate and exam user account in the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "User Account Enumeration",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T12:12:47.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/en/cp-139-3317-d4edc-2.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to:\nDoor Access Control system ver. 3.5.4\nPersonnel Attendance system prior to ver. 3.4.0.0.3.05_20191112"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "TAIWAN SECOM CO., LTD. - User Account Enumeration",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-02-11T03:59:00.000Z",
"ID": "CVE-2020-3933",
"STATE": "PUBLIC",
"TITLE": "TAIWAN SECOM CO., LTD. - User Account Enumeration"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Door Access Control system",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "3.3.2"
}
]
}
},
{
"product_name": "Personnel Attendance system",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "3.3.0.3_20160517"
}
]
}
}
]
},
"vendor_name": "TAIWAN SECOM CO., LTD."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, allows attackers to enumerate and exam user account in the system."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Account Enumeration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/en/cp-139-3317-d4edc-2.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/en/cp-139-3317-d4edc-2.html"
},
{
"name": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac",
"refsource": "MISC",
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"name": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b",
"refsource": "MISC",
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to:\nDoor Access Control system ver. 3.5.4\nPersonnel Attendance system prior to ver. 3.4.0.0.3.05_20191112"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-3933",
"datePublished": "2020-02-11T08:00:29.196Z",
"dateReserved": "2019-12-20T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:23:28.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}