CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23485
https://notcve.org/view.php?id=CVE-2024-23485
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation (CWE-1304) in the Controller 6000 and 7000 can lead to secured door locks connected via Aperio Communication Hubs to momentarily allow free access. This issue affects: Gallagher Controller 6000 and 7000 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior. La integridad preservada inadecuadamente del estado de configuración del hardware durante una operación de ahorro/restauración de energía (CWE-1304) en el controlador 6000 y 7000 puede provocar que puertas cerradas seguras conectadas a través de concentradores de comunicación Aperio permitan momentáneamente el libre acceso. Este problema afecta a: Gallagher Controller 6000 y 7000 9.10 antes de vCR9.10.240520a (distribuido en 9.10.1268(MR1)), 9.00 antes de vCR9.00.240521a (distribuido en 9.00.1990(MR3)), 8.90 antes de vCR8. 90.240520a (distribuido en 8.90.1947 (MR4)), 8.80 antes de vCR8.80.240520a (distribuido en 8.80.1726 (MR5)), 8.70 antes de vCR8.70.240520a (distribuido en 8.70.2824 (MR7)), todos Versiones de 8.60 y anteriores. • https://security.gallagher.com/Security-Advisories/CVE-2024-23485 • CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation •
CVSS: 4.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-41967
https://notcve.org/view.php?id=CVE-2023-41967
Sensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller's default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. This issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier. Un atacante con conocimiento de la contraseña de diagnóstico predeterminada de Controller 6000 y acceso físico al Controlador para ver su configuración a través de las páginas web de diagnóstico podría abusar de la información confidencial no borrada después de la transición del estado de depuración/encendido en el Controlador. Este problema afecta a: Gallagher Controller 6000 8.70 anterior a vCR8.70.231204a (distribuido en 8.70.2375 (MR5)), v8.60 o anterior. • https://security.gallagher.com/Security-Advisories/CVE-2023-41967 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-24590
https://notcve.org/view.php?id=CVE-2023-24590
A format string issue in the Controller 6000's optional diagnostic web interface can be used to write/read from memory, and in some instances crash the Controller 6000 leading to a Denial of Service. This issue affects: Gallagher Controller 6000 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior. Un problema de cadena de formato en la interfaz web de diagnóstico opcional del Controller 6000 se puede utilizar para escribir/leer desde la memoria y, en algunos casos, bloquear el Controller 6000, lo que provoca una denegación de servicio. Este problema afecta a: Gallagher Controller 6000 8.60 anterior a vCR8.60.231116a (distribuido en 8.60.2550 (MR7)), todas las versiones 8.50 y anteriores. • https://security.gallagher.com/Security-Advisories/CVE-2023-24590 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 0CVE-2023-22439
https://notcve.org/view.php?id=CVE-2023-22439
Improper input validation of a large HTTP request in the Controller 6000 and Controller 7000 optional diagnostic web interface (Port 80) can be used to perform a Denial of Service of the diagnostic web interface. This issue affects: Gallagher Controller 6000 and 7000 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior. Se puede utilizar una validación de entrada incorrecta de una solicitud HTTP grande en la interfaz web de diagnóstico opcional de Controller 6000 y Controller 7000 (puerto 80) para realizar una denegación de servicio de la interfaz web de diagnóstico. Este problema afecta a: Gallagher Controller 6000 y 7000 8.90 antes de vCR8.90.231204a (distribuido en 8.90.1620 (MR2)), 8.80 antes de vCR8.80.231204a (distribuido en 8.80.1369 (MR3)), 8.70 antes de vCR8. 70.231204a (distribuido en 8.70.2375 (MR5)), 8.60 antes de vCR8.60.231116a (distribuido en 8.60.2550 (MR7)), todas las versiones de 8.50 y anteriores. • https://security.gallagher.com/Security-Advisories/CVE-2023-22439 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-24584 – Controller 6000 buffer overflow via upload feature in web interface
https://notcve.org/view.php?id=CVE-2023-24584
Controller 6000 is vulnerable to a buffer overflow via the Controller diagnostic web interface upload feature. This issue affects Controller 6000: before vCR8.80.230201a, before vCR8.70.230201a, before vCR8.60.230201b, before vCR8.50.230201a, all versions of vCR8.40 and prior. • https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-24584 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •