CVE-2023-2904: The External Visitor Manager portal of HID’s SAFE versions 5..
hidglobal
•
Jun 7, 2023
•
Jun 29, 2023
Description
The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.
Products affected:
hidglobal» safe » *
In a few clicks Akto can analyze your API attack surface and see what APIs are vulnerable to OWASP Top 10 and other common CWEs.
Severity
7.3
/
10
CVSS base metrics
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
User interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
HIGH
Exploitability Score
2.1
Impact Score
5.2
Weakness
CWE-471__NVD-CWE-noinfo__
Learn from academy
HTML Injection
Code Injection
Blind SQL Injection
HTTP Header Injection
LDAP Injection
PHP Injection
Command Injection
NoSQL Injection
Authentication Methods
Brute Force Attack
What is Fuzzing and How Does It Work?
What is API Fuzzing?
What is Fuzzer?
White Box Fuzzing
Black Box Fuzzing
Fuzzing Tools
Golang Fuzzing
File Format Fuzzing
Restler - REST API fuzzer
Directory Fuzzing
Web Fuzzing
What is Metasploit and Nmap?
Drupal Penetration Testing
NIST Penetration Testing
Nessus Penetration Testing
Qualys Penetration Testing
Grey Box Penetration Testing Methodology
Black Box Penetration Testing Methodology
Cloud Penetration Testing Methodology
Active Directory Pentesting Methodology
GraphQL Penetration Testing Methodology
What is API Pentesting?
What is Automated Penetration Testing?
What is API Security?
What is API Security Posture?
What is API Security Testing?
API Security Checklist
What is a Shadow API?
What is a Zombie API?
What are Business Logic Vulnerabilities?
Related tests
JWT authentication bypass via jku header injection
eSMTP - Config Discovery
Nginx - Git Configuration Exposure
Laravel - Sensitive Information Disclosure
Docker Container - Misconfiguration Exposure
Msmtp - Config Exposure
Parameters.yml - File Discovery
Mongo Express - Unauthenticated Access
Apache Airflow Configuration Exposure
Dockerrun AWS Configuration Exposure
Apache Config file disclosure
Appspec Yml Disclosure
Explore more from Akto
Blog
Be updated about everything related to API Security, new API vulnerabilities, industry news and product updates.
Test Library
Discover and find tests from Akto's 100+ API Security test library. Choose your template or add a new template to start your API Security testing.
Documentation
Check out Akto's product documentation for all information related to features and how to use them.