Vulnerabilities > Hidglobal
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-07 | CVE-2024-23806 | Improper Authorization vulnerability in Hidglobal products Sensitive data can be extracted from HID iCLASS SE reader configuration cards. | 5.3 |
| 2024-02-06 | CVE-2024-22388 | Insecure Default Initialization of Resource vulnerability in Hidglobal products Certain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. | 7.8 |
| 2023-06-07 | CVE-2023-2904 | Modification of Assumed-Immutable Data (MAID) vulnerability in Hidglobal Safe The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). | 7.3 |
| 2022-06-06 | CVE-2022-31479 | OS Command Injection vulnerability in multiple products An unauthenticated attacker can update the hostname with a specially crafted name that will allow for shell commands to be executed during the core collection process. | 9.8 |
| 2022-06-06 | CVE-2022-31480 | Forced Browsing vulnerability in multiple products An unauthenticated attacker could arbitrarily upload firmware files to the target device, ultimately causing a Denial-of-Service (DoS). | 5.0 |
| 2022-06-06 | CVE-2022-31481 | Classic Buffer Overflow vulnerability in multiple products An unauthenticated attacker can send a specially crafted update file to the device that can overflow a buffer. | 7.5 |
| 2022-06-06 | CVE-2022-31482 | Classic Buffer Overflow vulnerability in multiple products An unauthenticated attacker can send a specially crafted unauthenticated HTTP request to the device that can overflow a buffer. | 7.8 |
| 2022-06-06 | CVE-2022-31483 | Path Traversal vulnerability in multiple products An authenticated attacker can upload a file with a filename including “..” and “/” to achieve the ability to upload the desired file anywhere on the filesystem. | 9.0 |
| 2022-06-06 | CVE-2022-31484 | Forced Browsing vulnerability in multiple products An unauthenticated attacker can send a specially crafted network packet to delete a user from the web interface. | 5.0 |
| 2022-06-06 | CVE-2022-31485 | Forced Browsing vulnerability in multiple products An unauthenticated attacker can send a specially crafted packets to update the “notes” section of the home page of the web interface. | 5.0 |