HID Global SAFE Visitor Manager Portal Vulnerability

Exploitation of this vulnerability could result in exposure of personal data or create a denial-of-service condition

Threat ID:: CC-4327
Threat Severity:: Information only
Published:: 2 June 2023 3:12 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Exploitation of this vulnerability could result in exposure of personal data or create a denial-of-service condition

Affected platforms

The following platforms are known to be affected:

Versions: 5.8.0 to 5.11.3

HID SAFE™ Visitor Manager

Note: affected version uses the optional External Visitor Manager portal

Threat details

Introduction

A vulnerability in the External Visitor Manager portal of HID’s SAFE has been disclosed. The vulnerability, known as CVE-2023-2904, has a CVSSv3 score of 7.3 and relates to a manipulation within web fields in the application programmable interface (API).

An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users.

There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.

Remediation advice

Affected organisations are encouraged to review HIS's security advisory HID-PSA-2023-001 and apply the relevant update.

Definitive source of threat updates

CVE Vulnerabilities

Status Reserved

CVE-2023-2904

Last edited: 2 June 2023 3:12 pm