Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by Saho
CVE-2023-38030 (GCVE-0-2023-38030)
Vulnerability from cvelistv5 – Published: 2023-08-28 06:44 – Updated: 2024-10-03 12:58
VLAI
Title
Saho ADM100&ADM-100FP - Execute Code
Summary
Saho’s attendance devices ADM100 and ADM-100FP have a vulnerability of missing authentication for critical functions. An unauthenticated remote attacker can execute system commands in partial website URLs to read sensitive device information without permissions.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Saho | ADM100 |
Affected:
0.0.4.0
Affected: 0.0.4.3 Affected: 0.0.4.6 Affected: 0.0.4.8 Affected: Q20100602 Affected: T17041702 Affected: T18051803 Affected: T190 |
|
| Saho | ADM-100FP |
Affected:
Q20100602
Affected: T17041702 Affected: T18051803 Affected: T190 |
|
| saho | adm-100_firmware |
Affected:
0.0.4.0
Affected: 0.0.4.3 Affected: 0.0.4.6 Affected: 0.0.4.8 Affected: q20100602 Affected: t17041702 Affected: t18051803 Affected: t190 cpe:2.3:o:saho:adm-100_firmware:0.0.4.0:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.3:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.6:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.8:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:q20100602:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t17041702:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t18051803:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t190:*:*:*:*:*:*:* |
|
| saho | adm-100fp_firmware |
Affected:
q20100602
Affected: t17041702 Affected: t18051803 Affected: t190 cpe:2.3:o:saho:adm-100fp_firmware:q20100602:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t17041702:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t18051803:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t190:*:*:*:*:*:*:* |
Date Public
2023-08-31 01:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:30:12.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7337-501df-1.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.0:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.3:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.6:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.8:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:q20100602:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t17041702:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t18051803:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t190:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adm-100_firmware",
"vendor": "saho",
"versions": [
{
"status": "affected",
"version": "0.0.4.0"
},
{
"status": "affected",
"version": "0.0.4.3"
},
{
"status": "affected",
"version": "0.0.4.6"
},
{
"status": "affected",
"version": "0.0.4.8"
},
{
"status": "affected",
"version": "q20100602"
},
{
"status": "affected",
"version": "t17041702"
},
{
"status": "affected",
"version": "t18051803"
},
{
"status": "affected",
"version": "t190"
}
]
},
{
"cpes": [
"cpe:2.3:o:saho:adm-100fp_firmware:q20100602:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t17041702:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t18051803:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t190:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adm-100fp_firmware",
"vendor": "saho",
"versions": [
{
"status": "affected",
"version": "q20100602"
},
{
"status": "affected",
"version": "t17041702"
},
{
"status": "affected",
"version": "t18051803"
},
{
"status": "affected",
"version": "t190"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T12:56:06.564999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T12:58:30.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADM100",
"vendor": "Saho",
"versions": [
{
"status": "affected",
"version": "0.0.4.0"
},
{
"status": "affected",
"version": "0.0.4.3"
},
{
"status": "affected",
"version": "0.0.4.6"
},
{
"status": "affected",
"version": "0.0.4.8"
},
{
"status": "affected",
"version": "Q20100602"
},
{
"status": "affected",
"version": "T17041702"
},
{
"status": "affected",
"version": "T18051803"
},
{
"status": "affected",
"version": "T190"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ADM-100FP",
"vendor": "Saho",
"versions": [
{
"status": "affected",
"version": "Q20100602"
},
{
"status": "affected",
"version": "T17041702"
},
{
"status": "affected",
"version": "T18051803"
},
{
"status": "affected",
"version": "T190"
}
]
}
],
"datePublic": "2023-08-31T01:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSaho\u2019s attendance devices ADM100 and ADM-100FP have a vulnerability of missing authentication for critical functions. An unauthenticated remote attacker can execute system commands in partial website URLs to read sensitive device information without permissions.\u003c/span\u003e\n\n"
}
],
"value": "\nSaho\u2019s attendance devices ADM100 and ADM-100FP have a vulnerability of missing authentication for critical functions. An unauthenticated remote attacker can execute system commands in partial website URLs to read sensitive device information without permissions.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-216",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-216 Communication Channel Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-28T06:44:16.870Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"url": "https://www.twcert.org.tw/tw/cp-132-7337-501df-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\n\n\nContact support from Saho.\u003cbr\u003e"
}
],
"value": "\n\n\n\n\nContact support from Saho.\n"
}
],
"source": {
"advisory": "TVN-202308010",
"discovery": "EXTERNAL"
},
"title": "Saho ADM100\u0026ADM-100FP - Execute Code",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2023-38030",
"datePublished": "2023-08-28T06:44:16.870Z",
"dateReserved": "2023-07-12T00:37:03.717Z",
"dateUpdated": "2024-10-03T12:58:30.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38029 (GCVE-0-2023-38029)
Vulnerability from cvelistv5 – Published: 2023-08-28 05:59 – Updated: 2024-10-03 16:16
VLAI
Title
Saho ADM100&ADM-100FP - Arbitrary File Upload
Summary
Saho’s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files to perform arbitrary system commands or disrupt service.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Saho | ADM100 |
Affected:
0.0.4.0
Affected: 0.0.4.3 Affected: 0.0.4.6 Affected: 0.0.4.8 Affected: Q20100602 Affected: T17041702 Affected: T18051803 Affected: T190 |
|
| Saho | ADM-100FP |
Affected:
Q20100602
Affected: T17041702 Affected: T18051803 Affected: T190 |
|
| saho | adm-100_firmware |
Affected:
0.0.4.0
Affected: 0.0.4.3 Affected: 0.0.4.6 Affected: 0.0.4.8 Affected: q20100602 Affected: t17041702 Affected: t18051803 Affected: t190 cpe:2.3:o:saho:adm-100_firmware:0.0.4.0:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.3:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.6:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.8:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:q20100602:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t17041702:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t18051803:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t190:*:*:*:*:*:*:* |
|
| saho | adm-100fp_firmware |
Affected:
q20100602
Affected: t17041702 Affected: t18051803 Affected: t190 cpe:2.3:o:saho:adm-100fp_firmware:q20100602:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t17041702:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t18051803:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t190:*:*:*:*:*:*:* |
Date Public
2023-08-31 01:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.907Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7336-35a94-1.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.0:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.3:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.6:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.8:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:q20100602:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t17041702:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t18051803:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t190:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adm-100_firmware",
"vendor": "saho",
"versions": [
{
"status": "affected",
"version": "0.0.4.0"
},
{
"status": "affected",
"version": "0.0.4.3"
},
{
"status": "affected",
"version": "0.0.4.6"
},
{
"status": "affected",
"version": "0.0.4.8"
},
{
"status": "affected",
"version": "q20100602"
},
{
"status": "affected",
"version": "t17041702"
},
{
"status": "affected",
"version": "t18051803"
},
{
"status": "affected",
"version": "t190"
}
]
},
{
"cpes": [
"cpe:2.3:o:saho:adm-100fp_firmware:q20100602:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t17041702:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t18051803:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t190:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adm-100fp_firmware",
"vendor": "saho",
"versions": [
{
"status": "affected",
"version": "q20100602"
},
{
"status": "affected",
"version": "t17041702"
},
{
"status": "affected",
"version": "t18051803"
},
{
"status": "affected",
"version": "t190"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38029",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:15:41.221507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:16:59.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADM100",
"vendor": "Saho",
"versions": [
{
"status": "affected",
"version": "0.0.4.0"
},
{
"status": "affected",
"version": "0.0.4.3"
},
{
"status": "affected",
"version": "0.0.4.6"
},
{
"status": "affected",
"version": "0.0.4.8"
},
{
"status": "affected",
"version": "Q20100602"
},
{
"status": "affected",
"version": "T17041702"
},
{
"status": "affected",
"version": "T18051803"
},
{
"status": "affected",
"version": "T190"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ADM-100FP",
"vendor": "Saho",
"versions": [
{
"status": "affected",
"version": "Q20100602"
},
{
"status": "affected",
"version": "T17041702"
},
{
"status": "affected",
"version": "T18051803"
},
{
"status": "affected",
"version": "T190"
}
]
}
],
"datePublic": "2023-08-31T01:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSaho\u2019s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files to perform arbitrary system commands or disrupt service.\u003c/span\u003e\n\n"
}
],
"value": "\nSaho\u2019s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files to perform arbitrary system commands or disrupt service.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-28T05:59:47.039Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"url": "https://www.twcert.org.tw/tw/cp-132-7336-35a94-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\nContact support from Saho.\u003cbr\u003e"
}
],
"value": "\n\n\nContact support from Saho.\n"
}
],
"source": {
"advisory": "TVN-202308009",
"discovery": "EXTERNAL"
},
"title": "Saho ADM100\u0026ADM-100FP - Arbitrary File Upload",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2023-38029",
"datePublished": "2023-08-28T05:59:47.039Z",
"dateReserved": "2023-07-12T00:37:03.717Z",
"dateUpdated": "2024-10-03T16:16:59.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-38028 (GCVE-0-2023-38028)
Vulnerability from cvelistv5 – Published: 2023-08-28 04:12 – Updated: 2024-10-03 16:12
VLAI
Title
Saho ADM100&ADM-100FP - Broken Access Control
Summary
Saho’s attendance devices ADM100 and ADM-100FP have insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication to read system information and operate user's data, but can’t control system or disrupt service.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
1 reference
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| Saho | ADM100 |
Affected:
0.0.4.0
Affected: 0.0.4.3 Affected: 0.0.4.6 Affected: 0.0.4.8 Affected: Q20100602 Affected: T17041702 Affected: T18051803 Affected: T190 |
|
| Saho | ADM-100FP |
Affected:
Q20100602
Affected: T17041702 Affected: T18051803 Affected: T190 |
|
| saho | adm-100_firmware |
Affected:
0.0.4.0
Affected: 0.0.4.3 Affected: 0.0.4.6 Affected: 0.0.4.8 Affected: q20100602 Affected: t17041702 Affected: t18051803 Affected: t190 cpe:2.3:o:saho:adm-100_firmware:0.0.4.0:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.3:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.6:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:0.0.4.8:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:q20100602:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t17041702:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t18051803:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100_firmware:t190:*:*:*:*:*:*:* |
|
| saho | adm-100fp_firmware |
Affected:
q20100602
Affected: t17041702 Affected: t18051803 Affected: t190 cpe:2.3:o:saho:adm-100fp_firmware:q20100602:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t17041702:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t18051803:*:*:*:*:*:*:* cpe:2.3:o:saho:adm-100fp_firmware:t190:*:*:*:*:*:*:* |
Date Public
2023-08-31 01:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:28.093Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7335-d300a-1.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.0:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.3:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.6:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:0.0.4.8:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:q20100602:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t17041702:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t18051803:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100_firmware:t190:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adm-100_firmware",
"vendor": "saho",
"versions": [
{
"status": "affected",
"version": "0.0.4.0"
},
{
"status": "affected",
"version": "0.0.4.3"
},
{
"status": "affected",
"version": "0.0.4.6"
},
{
"status": "affected",
"version": "0.0.4.8"
},
{
"status": "affected",
"version": "q20100602"
},
{
"status": "affected",
"version": "t17041702"
},
{
"status": "affected",
"version": "t18051803"
},
{
"status": "affected",
"version": "t190"
}
]
},
{
"cpes": [
"cpe:2.3:o:saho:adm-100fp_firmware:q20100602:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t17041702:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t18051803:*:*:*:*:*:*:*",
"cpe:2.3:o:saho:adm-100fp_firmware:t190:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adm-100fp_firmware",
"vendor": "saho",
"versions": [
{
"status": "affected",
"version": "q20100602"
},
{
"status": "affected",
"version": "t17041702"
},
{
"status": "affected",
"version": "t18051803"
},
{
"status": "affected",
"version": "t190"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-38028",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T16:04:42.664509Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T16:12:23.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADM100",
"vendor": "Saho",
"versions": [
{
"status": "affected",
"version": "0.0.4.0"
},
{
"status": "affected",
"version": "0.0.4.3"
},
{
"status": "affected",
"version": "0.0.4.6"
},
{
"status": "affected",
"version": "0.0.4.8"
},
{
"status": "affected",
"version": "Q20100602"
},
{
"status": "affected",
"version": "T17041702"
},
{
"status": "affected",
"version": "T18051803"
},
{
"status": "affected",
"version": "T190"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ADM-100FP",
"vendor": "Saho",
"versions": [
{
"status": "affected",
"version": "Q20100602"
},
{
"status": "affected",
"version": "T17041702"
},
{
"status": "affected",
"version": "T18051803"
},
{
"status": "affected",
"version": "T190"
}
]
}
],
"datePublic": "2023-08-31T01:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSaho\u2019s attendance devices ADM100 and ADM-100FP have insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication to read system information and operate user\u0027s data, but can\u2019t control system or disrupt service.\u003c/span\u003e\n\n"
}
],
"value": "\nSaho\u2019s attendance devices ADM100 and ADM-100FP have insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication to read system information and operate user\u0027s data, but can\u2019t control system or disrupt service.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-216",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-216 Communication Channel Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-28T04:12:44.854Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"url": "https://www.twcert.org.tw/tw/cp-132-7335-d300a-1.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nContact support from\u0026nbsp;Saho.\u003cbr\u003e"
}
],
"value": "\nContact support from\u00a0Saho.\n"
}
],
"source": {
"advisory": "TVN-202308008",
"discovery": "EXTERNAL"
},
"title": "Saho ADM100\u0026ADM-100FP - Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2023-38028",
"datePublished": "2023-08-28T04:12:44.854Z",
"dateReserved": "2023-07-12T00:37:03.717Z",
"dateUpdated": "2024-10-03T16:12:23.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}