CVE-2023-28809

Summary

CVE	CVE-2023-28809
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-06-15 19:15:00 UTC
Updated	2023-09-05 17:15:00 UTC
Description	Some access control products are vulnerable to a session hijacking attack because the product does not update the session ID after a user successfully logs in. To exploit the vulnerability, attackers have to request the session ID at the same time as a valid user logs in, and gain device operation permissions by forging the IP and session ID of an authenticated user.

Risk And Classification

Problem Types: CWE-384

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Hikvision	Ds-k1t320efwx	-	All	All	All
Operating System	Hikvision	Ds-k1t320efwx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t320efx	-	All	All	All
Operating System	Hikvision	Ds-k1t320efx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t320ewx	-	All	All	All
Operating System	Hikvision	Ds-k1t320ewx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t320ex	-	All	All	All
Operating System	Hikvision	Ds-k1t320ex Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t320mfwx	-	All	All	All
Operating System	Hikvision	Ds-k1t320mfwx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t320mfx	-	All	All	All
Operating System	Hikvision	Ds-k1t320mfx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t320mwx	-	All	All	All
Operating System	Hikvision	Ds-k1t320mwx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t320mx	-	All	All	All
Operating System	Hikvision	Ds-k1t320mx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t341am	-	All	All	All
Hardware	Hikvision	Ds-k1t341amf	-	All	All	All
Operating System	Hikvision	Ds-k1t341amf Firmware	-	All	All	All
Operating System	Hikvision	Ds-k1t341am Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t341cm	-	All	All	All
Operating System	Hikvision	Ds-k1t341cm Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t343ewx	-	All	All	All
Operating System	Hikvision	Ds-k1t343ewx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t343ex	-	All	All	All
Operating System	Hikvision	Ds-k1t343ex Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t343mwx	-	All	All	All
Operating System	Hikvision	Ds-k1t343mwx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t343mx	-	All	All	All
Operating System	Hikvision	Ds-k1t343mx Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t671	-	All	All	All
Hardware	Hikvision	Ds-k1t671m	-	All	All	All
Hardware	Hikvision	Ds-k1t671mf	-	All	All	All
Operating System	Hikvision	Ds-k1t671mf Firmware	-	All	All	All
Operating System	Hikvision	Ds-k1t671m Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t671t	-	All	All	All
Hardware	Hikvision	Ds-k1t671tm	-	All	All	All
Hardware	Hikvision	Ds-k1t671tm-3xf	-	All	All	All
Operating System	Hikvision	Ds-k1t671tm-3xf Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t671tmf	-	All	All	All
Hardware	Hikvision	Ds-k1t671tmfw	-	All	All	All
Operating System	Hikvision	Ds-k1t671tmfw Firmware	-	All	All	All
Operating System	Hikvision	Ds-k1t671tmf Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t671tmw	-	All	All	All
Operating System	Hikvision	Ds-k1t671tmw Firmware	-	All	All	All
Operating System	Hikvision	Ds-k1t671tm Firmware	-	All	All	All
Operating System	Hikvision	Ds-k1t671t Firmware	-	All	All	All
Operating System	Hikvision	Ds-k1t671 Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t804af	-	All	All	All
Operating System	Hikvision	Ds-k1t804af Firmware	-	All	All	All
Hardware	Hikvision	Ds-k1t804amf	-	All	All	All
Operating System	Hikvision	Ds-k1t804amf Firmware	-	All	All	All

References

Reference	Source	Link	Tags
Security Vulnerability in Some Hikvision Access Control/Intercom Products - Security Advisory - Hikvision	MISC	www.hikvision.com
Hikvision Access Control Session Hijacking ≈ Packet Storm	MISC	packetstormsecurity.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Andres Hinnosaar

There are currently no legacy QID mappings associated with this CVE.