CVE-2023-22439
https://notcve.org/view.php?id=CVE-2023-22439
Improper input validation of a large HTTP request in the Controller 6000 and Controller 7000 optional diagnostic web interface (Port 80) can be used to perform a Denial of Service of the diagnostic web interface. This issue affects: Gallagher Controller 6000 and 7000 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior. Se puede utilizar una validación de entrada incorrecta de una solicitud HTTP grande en la interfaz web de diagnóstico opcional de Controller 6000 y Controller 7000 (puerto 80) para realizar una denegación de servicio de la interfaz web de diagnóstico. Este problema afecta a: Gallagher Controller 6000 y 7000 8.90 antes de vCR8.90.231204a (distribuido en 8.90.1620 (MR2)), 8.80 antes de vCR8.80.231204a (distribuido en 8.80.1369 (MR3)), 8.70 antes de vCR8. 70.231204a (distribuido en 8.70.2375 (MR5)), 8.60 antes de vCR8.60.231116a (distribuido en 8.60.2550 (MR7)), todas las versiones de 8.50 y anteriores. • https://security.gallagher.com/Security-Advisories/CVE-2023-22439 • CWE-20: Improper Input Validation •
CVE-2023-6355
https://notcve.org/view.php?id=CVE-2023-6355
Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug. This issue affects: Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed in 9.00.1507 (MR1)), 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)). La selección incorrecta de valores de fusibles en la plataforma Controller 7000 permite a un atacante eludir algunos mecanismos de protección para habilitar la depuración local. Este problema afecta a: Gallagher Controller 7000 9.00 anterior a vCR9.00.231204b (distribuido en 9.00.1507 (MR1)), 8.90 anterior a vCR8.90.231204a (distribuido en 8.90.1620 (MR2)), 8.80 anterior a vCR8.80.231204a (distribuido en 8.80.1369 (MR3)), 8.70 antes de vCR8.70.231204a (distribuido en 8.70.2375 (MR5)). • https://security.gallagher.com/Security-Advisories/CVE-2023-6355 • CWE-863: Incorrect Authorization CWE-1253: Incorrect Selection of Fuse Values •
CVE-2023-23568
https://notcve.org/view.php?id=CVE-2023-23568
Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Personal Data Fields. This issue affects Command Centre: vEL 8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior • https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-23568 • CWE-285: Improper Authorization •
CVE-2023-22363 – Access Zone stack overflow
https://notcve.org/view.php?id=CVE-2023-22363
A stack-based buffer overflow in the Command Centre Server allows an attacker to cause a denial of service attack via assigning cardholders to an Access Group. This issue affects Command Centre: vEL8.80 prior to vEL8.80.1192 (MR2) • https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-22363 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2023-25074 – Competency access levels not enforced in the server
https://notcve.org/view.php?id=CVE-2023-25074
Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies. This issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior. • https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2023-25074 • CWE-285: Improper Authorization •