CVE-2023-4667 - Vulnerability Details

The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface. The root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware. This could lead to unauthorized access and data leakage

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Idemia	Morphowave Compact Morphowave Compact Firmware Morphowave Sp Morphowave Sp Firmware Morphowave Xp Sgima Lite \& Lite\+ Sgima Lite \& Lite\+ Firmware Sigma Extreme Sigma Extreme Firmware Sigma Lite Sigma Lite\+ Sigma Wide Sigma Wide Firmware Visionpass Visionpass Firmware

Configuration 1 [-]

AND

cpe:2.3:o:idemia:sgima_lite_\&_lite\+_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:idemia:sgima_lite_\&_lite\+:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:idemia:sigma_wide_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:idemia:sigma_extreme_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:idemia:morphowave_compact_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:idemia:morphowave_sp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:idemia:morphowave_sp:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:idemia:visionpass_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:idemia:morphowave_sp_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:idemia:morphowave_sp:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.idemia.com/vulnerability-information

History

Thu, 17 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Idemia morphowave Xp Idemia sigma Lite Idemia sigma Lite\+
CPEs		cpe:2.3:h:idemia:morphowave_xp:-:::::::* cpe:2.3:h:idemia:sigma_lite:-:::::::* cpe:2.3:h:idemia:sigma_lite\+:-:::::::*
Vendors & Products		Idemia morphowave Xp Idemia sigma Lite Idemia sigma Lite\+
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: IDEMIA

Published: 2023-11-28T08:09:10.450Z

Updated: 2024-10-17T16:26:43.231Z

Reserved: 2023-08-31T12:56:20.703Z

Link: CVE-2023-4667

Vulnrichment

Updated: 2024-08-02T07:31:06.587Z

NVD

Status : Modified

Published: 2023-11-28T09:15:07.467

Modified: 2024-11-21T08:35:38.667

Link: CVE-2023-4667

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object