Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-12532: Security Advisory | Insyde Software

Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.

CVE
#vulnerability#ios#bios#auth

Insyde ID

Advisory Category

Impact of Vulnerability

Severity Rating

Original Date

Last Revised

INSYDE-SA-2019001

Software

Escalation of Privilege, Information Disclosure

MEDIUM

08/12/2019

09/04/2019

****Summary:****

A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.

****Vulnerability Details****

CVEID: CVE-2019-12532

Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:L

****Affected Insyde Tools:****

  • H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23, 200.00.00.01~200.00.00.05
  • H2OOAE before version 200.00.00.02
  • H2OSDE before version 200.00.00.07
  • H2OUVE before version 200.00.02.02
  • H2OPCM before version 100.00.06.00
  • H2OELV before version 100.00.02.08

****Recommendations:****

  • Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
  • Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.

****Acknowledgements:****

Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.

****Revision History:****

Revision

Date

Description

1.0

12-August-2019

Initial Release

1.1

04-September-2019

Update Tool Release Status

Return to Insyde’s Security Pledge

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907