CVE-2023-38030

Summary

Saho’s attendance devices ADM100 and ADM-100FP have a vulnerability of missing authentication for critical functions. An unauthenticated remote attacker can execute system commands in partial website URLs to read sensitive device information without permissions.

Affected Software

VendorProductVersion RangeStatus
SahoADM1000.0.4.0affected
SahoADM1000.0.4.3affected
SahoADM1000.0.4.6affected
SahoADM1000.0.4.8affected
SahoADM100Q20100602affected
SahoADM100T17041702affected
SahoADM100T18051803affected
SahoADM100T190affected
SahoADM-100FPQ20100602affected
SahoADM-100FPT17041702affected
SahoADM-100FPT18051803affected
SahoADM-100FPT190affected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References