Headline
CVE-2023-38029: Saho商合行 ADM100 & ADM-100FP - Arbitrary File Upload
Saho’s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files to perform arbitrary system commands or disrupt service.
:::
- 首頁
- 資安服務
- 台灣漏洞揭露平台 (TVN)
- TVN (Taiwan Vulnerability Note) 漏洞公告
TVN ID
TVN-202308009
CVE ID
CVE-2023-38029
CVSS
“9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H”
影響產品
ADM-100: 0.0.4.0, 0.0.4.3, 0.0.4.6, 0.0.4.8, Q20100602, T17041702, T18051803, T190
ADM-100FP: Q20100602, T17041702, T18051803, T190
問題描述
Saho商合行ADM100與ADM-100FP的檔案上傳功能未過濾特殊字元與驗證檔案類型,遠端攻擊者不須權限,即可上傳並執行任意類型的檔案,對系統進行任意操作或中斷服務。
解決方法
請聯繫商合行詢問相關修補建議
漏洞通報者
Li-Fan Cheng, Chih-Che Chang, AnWei Kung (國家資通安全研究院)
公開日期
2023-08-25