#VU81990 Session Fixation in Hikvision products - CVE-2023-28809
Published: October 13, 2023
Vulnerability identifier: #VU81990
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-28809
CWE-ID: CWE-384
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
DS-K1T804AEF
DS-K1T804AF
DS-K1T804AMF
DS-K1T341AM
DS-K1T341AMF
DS-K1T671M
DS-K1T671MF
DS-K1T671TM-3XF
DS-K1T671TMFW
DS-K1T671TMW
DS-K1T343EFWX
DS-K1T343EFX
DS-K1T343EWX
DS-K1T343EX
DS-K1T343MFWX
DS-K1T343MFX
DS-K1T343MWX
DS-K1T343MX
DS-K1T341C
DS-K1T320EFWX
DS-K1T320EFX
DS-K1T320EWX
DS-K1T320EX
DS-K1T320MFWX
DS-K1T320MFX
DS-K1T320MWX
DS-K1T320MX
DS-K1T804AEF
DS-K1T804AF
DS-K1T804AMF
DS-K1T341AM
DS-K1T341AMF
DS-K1T671M
DS-K1T671MF
DS-K1T671TM-3XF
DS-K1T671TMFW
DS-K1T671TMW
DS-K1T343EFWX
DS-K1T343EFX
DS-K1T343EWX
DS-K1T343EX
DS-K1T343MFWX
DS-K1T343MFX
DS-K1T343MWX
DS-K1T343MX
DS-K1T341C
DS-K1T320EFWX
DS-K1T320EFX
DS-K1T320EWX
DS-K1T320EX
DS-K1T320MFWX
DS-K1T320MFX
DS-K1T320MWX
DS-K1T320MX
Software vendor:
Hikvision
Hikvision
Description
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected device does not update the session ID after a user successfully logs in. A remote attacker can forge the IP and session ID of an authenticated user and gain device operation permissions.
Remediation
Install updates from vendor's website.