CVE-2023-4667

The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.  The root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware. This could lead to  unauthorized access and data leakage
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:idemia:sgima_lite_\&_lite\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sgima_lite_\&_lite\+:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:idemia:sigma_wide_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:idemia:sigma_extreme_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:idemia:morphowave_compact_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:idemia:morphowave_sp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_sp:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:idemia:visionpass_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:idemia:morphowave_sp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_sp:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:35

Type Values Removed Values Added
References () https://www.idemia.com/vulnerability-information - Vendor Advisory () https://www.idemia.com/vulnerability-information - Vendor Advisory
CVSS v2 : unknown
v3 : 4.8
v2 : unknown
v3 : 8.1

05 Dec 2023, 18:53

Type Values Removed Values Added
CPE cpe:2.3:h:idemia:sigma_wide:-:*:*:*:*:*:*:*
cpe:2.3:o:idemia:sigma_extreme_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:idemia:morphowave_sp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:idemia:visionpass_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:idemia:sgima_lite_\&_lite\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:idemia:sigma_wide_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:idemia:visionpass:-:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_sp:-:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sgima_lite_\&_lite\+:-:*:*:*:*:*:*:*
cpe:2.3:h:idemia:morphowave_compact:-:*:*:*:*:*:*:*
cpe:2.3:h:idemia:sigma_extreme:-:*:*:*:*:*:*:*
cpe:2.3:o:idemia:morphowave_compact_firmware:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.8
References () https://www.idemia.com/vulnerability-information - () https://www.idemia.com/vulnerability-information - Vendor Advisory
First Time Idemia sigma Extreme
Idemia morphowave Sp Firmware
Idemia visionpass Firmware
Idemia sgima Lite \& Lite\+ Firmware
Idemia sigma Extreme Firmware
Idemia morphowave Compact Firmware
Idemia sgima Lite \& Lite\+
Idemia morphowave Sp
Idemia
Idemia visionpass
Idemia sigma Wide Firmware
Idemia sigma Wide
Idemia morphowave Compact
CWE CWE-79

28 Nov 2023, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-28 09:15

Updated : 2024-11-21 08:35


NVD link : CVE-2023-4667

Mitre link : CVE-2023-4667

CVE.ORG link : CVE-2023-4667


JSON object : View

Products Affected

idemia

  • sgima_lite_\&_lite\+
  • sigma_wide
  • visionpass_firmware
  • morphowave_sp
  • visionpass
  • morphowave_compact
  • sgima_lite_\&_lite\+_firmware
  • morphowave_sp_firmware
  • sigma_extreme_firmware
  • sigma_extreme
  • sigma_wide_firmware
  • morphowave_compact_firmware
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')