VYPR
Unrated severityNVD Advisory· Published Jun 15, 2023· Updated Dec 18, 2024

CVE-2023-28809

CVE-2023-28809

Description

Some access control products are vulnerable to a session hijacking attack because the product does not update the session ID after a user successfully logs in. To exploit the vulnerability, attackers have to request the session ID at the same time as a valid user logs in, and gain device operation permissions by forging the IP and session ID of an authenticated user.

Affected products

7
  • hikvision/DS-K1T320XXXv5
    Range: V3.5.0_build220706
  • hikvision/DS-K1T341AXXv5
    Range: V3.2.30_build221223
  • hikvision/DS-K1T341Cv5
    Range: V3.3.8_build230112
  • hikvision/DS-K1T343XXXv5
    Range: V3.14.0_build230117
  • hikvision/DS-K1T671XXXv5
    Range: V3.2.30_build221223
  • hikvision/DS-K1T804AXXv5
    Range: V1.4.0_build221212

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.