MidnightBSD

Advisories for secom

CVE-2020-3933 MEDIUM

TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, allows attackers to enumerate and exam user account in the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
secom dr.id_attendance_system *
secom dr.id_access_control *
CVE-2020-3934 HIGH

TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, contains a vulnerability of Pre-auth SQL Injection, allowing attackers to inject a specific SQL command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
twcert@cert.org.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
secom dr.id_attendance_system *
secom dr.id_access_control *
CVE-2020-3935 MEDIUM

TAIWAN SECOM CO., LTD., a Door Access Control and Personnel Attendance Management system, stores users’ information by cleartext in the cookie, which divulges password to attackers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
twcert@cert.org.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-312,

Products Affected

Vendor Product Version
secom dr.id_access_control 3.3.2
secom dr.id_attendance_system *
CVE-2021-35961 HIGH

Dr. ID Door Access Control and Personnel Attendance Management system uses the hard-code admin default credentials that allows remote attackers to access the system through the default password and obtain the highest permission.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
secom dr.id_access_control *
CVE-2021-35962 MEDIUM

Specific page parameters in Dr. ID Door Access Control and Personnel Attendance Management system does not filter special characters. Remote attackers can apply Path Traversal means to download credential files from the system without permission.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
secom personnel_attendance_system *
secom door_access_control *
CVE-2022-26671 HIGH

Taiwan Secom Dr.ID Access Control system’s login page has a hard-coded credential in the source code. An unauthenticated remote attacker can use the hard-coded credential to acquire partial system information and modify system setting to cause partial disrupt of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4
twcert@cert.org.tw 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,CWE-798,

Products Affected

Vendor Product Version
secom dr.id_access_control 3.3.2
secom dr.id_attendance_system 3.4.0.0.3.11