Main Vulnerability Database Vulnerabilities #VU16996

Use of hardcoded credentials in PremiSys - CVE-2019-3906

Published: January 15, 2019

Vulnerability identifier: #VU16996

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-3906

CWE-ID: CWE-798

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: IDenticard

Affected software:
PremiSys

Detailed vulnerability description

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to use of hard-coded credentials. A remote attacker can access the entire service via the PremiSys Windows Communication Foundation (WCF) Service endpoint to dump contents of the badge system database, modify contents, or other various tasks with unfettered access.

How to mitigate CVE-2019-3906

Cybersecurity Help is currently unaware of any official solution to address the vulnerability.

Sources

https://www.tenable.com/blog/multiple-zero-days-in-premisys-identicard-access-control-system

Use of hardcoded credentials in PremiSys - CVE-2019-3906

Detailed vulnerability description

How to mitigate CVE-2019-3906

Sources

Please verify you're human