CVE-2023-4667

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-4667
The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.  The root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware. This could lead to  unauthorized access and data leakage

4.8 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://www.idemia.com/vulnerability-information Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:idemia:sgima_lite_\&_lite\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sgima_lite_\&_lite\+:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:idemia:sigma_wide_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:idemia:sigma_extreme_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:idemia:morphowave_compact_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:idemia:morphowave_sp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_sp:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:idemia:visionpass_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:idemia:morphowave_sp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_sp:-:*:*:*:*:*:*:*
History

05 Dec 2023, 18:53

Type Values Removed Values Added
References () https://www.idemia.com/vulnerability-information - () https://www.idemia.com/vulnerability-information - Vendor Advisory
CWE CWE-79
First Time Idemia visionpass Firmware
Idemia
Idemia sigma Extreme Firmware
Idemia sgima Lite \& Lite\+
Idemia morphowave Compact Firmware
Idemia morphowave Sp Firmware
Idemia morphowave Compact
Idemia sigma Wide Firmware
Idemia morphowave Sp
Idemia visionpass
Idemia sigma Extreme
Idemia sigma Wide
Idemia sgima Lite \& Lite\+ Firmware
CPE cpe:2.3:o:idemia:morphowave_compact_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:idemia:visionpass_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*
cpe:2.3:o:idemia:sigma_extreme_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sgima_lite_\&_lite\+:-:*:*:*:*:*:*:*
cpe:2.3:o:idemia:sigma_wide_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_sp:-:*:*:*:*:*:*:*
cpe:2.3:o:idemia:morphowave_sp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:idemia:sgima_lite_\&_lite\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*
cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.8

28 Nov 2023, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-11-28 09:15

Updated : 2023-12-05 18:53

NVD link : CVE-2023-4667

Mitre link : CVE-2023-4667

JSON object : View

Products Affected

idemia

  • sigma_extreme
  • morphowave_compact
  • visionpass
  • sgima_lite_\&_lite\+
  • morphowave_compact_firmware
  • sgima_lite_\&_lite\+_firmware
  • sigma_extreme_firmware
  • sigma_wide_firmware
  • sigma_wide
  • visionpass_firmware
  • morphowave_sp_firmware
  • morphowave_sp
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')