CVE-2023-38029

Summary

Saho’s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files to perform arbitrary system commands or disrupt service.

Affected Software

VendorProductVersion RangeStatus
SahoADM1000.0.4.0affected
SahoADM1000.0.4.3affected
SahoADM1000.0.4.6affected
SahoADM1000.0.4.8affected
SahoADM100Q20100602affected
SahoADM100T17041702affected
SahoADM100T18051803affected
SahoADM100T190affected
SahoADM-100FPQ20100602affected
SahoADM-100FPT17041702affected
SahoADM-100FPT18051803affected
SahoADM-100FPT190affected

Weaknesses

  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References