CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41146
https://notcve.org/view.php?id=CVE-2024-41146
12 Dec 2024 — Use of Multiple Resources with Duplicate Identifier (CWE-694) in the Controller 6000 and Controller 7000 Platforms could allow an attacker with physical access to HBUS communication cabling to perform a Denial-of-Service attack against HBUS connected devices, require a device reboot to resolve. This issue affects: Controller 6000 and Controller 7000 firmware versions 9.10 prior to vCR9.10.241108a (distributed in 9.10.2149 (MR4)), 9.00 prior to vCR9.00.241108a (distributed in 9.00.2374 (MR5)), 8.90 prior to ... • https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-41146 • CWE-694: Use of Multiple Resources with Duplicate Identifier •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39808
https://notcve.org/view.php?id=CVE-2024-39808
11 Sep 2024 — Incorrect Calculation of Buffer Size (CWE-131) in the Controller 6000 and Controller 7000 OSDP message handling, allows an attacker with physical access to Controller wiring to instigate a reboot leading to a denial of service. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distr... • https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-39808 • CWE-131: Incorrect Calculation of Buffer Size •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24972
https://notcve.org/view.php?id=CVE-2024-24972
11 Sep 2024 — Buffer Copy without Checking Size of Input (CWE-120) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authorised and authenticated operator to reboot the Controller, causing a Denial of Service. Gallagher recommend the diagnostic web page is not enabled (default is off) unless advised by Gallagher Technical support. This interface is intended only for diagnostic purposes. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1... • https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-24972 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23906
https://notcve.org/view.php?id=CVE-2024-23906
11 Sep 2024 — Improper Neutralization of Input During Web Page Generation (CWE-79) in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator's session. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (dist... • https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2024-23906 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23317
https://notcve.org/view.php?id=CVE-2024-23317
11 Jul 2024 — External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 ... • https://security.gallagher.com/Security-Advisories/CVE-2024-23317 • CWE-73: External Control of File Name or Path •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22387
https://notcve.org/view.php?id=CVE-2024-22387
11 Jul 2024 — External Control of Critical State Data (CWE-642) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated user to modify device I/O connections leading to unexpected behavior that in some circumstances could compromise site physical security controls. Gallagher recommend the diagnostic web page is not enabled (default is off) unless advised by Gallagher Technical support. This interface is intended only for diagnostic purposes. This issue affects: Gallagher Controller 600... • https://security.gallagher.com/Security-Advisories/CVE-2024-22387 • CWE-642: External Control of Critical State Data •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23485
https://notcve.org/view.php?id=CVE-2024-23485
11 Jul 2024 — Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation (CWE-1304) in the Controller 6000 and 7000 can lead to secured door locks connected via Aperio Communication Hubs to momentarily allow free access. This issue affects: Gallagher Controller 6000 and 7000 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8... • https://security.gallagher.com/Security-Advisories/CVE-2024-23485 • CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation •