// For flags

CVE-2020-36283

 

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

HID OMNIKEY 5427 and OMNIKEY 5127 readers are vulnerable to CSRF when using the EEM driver (Ethernet Emulation Mode). By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to upload a configuration file to the device. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

Los lectores HID OMNIKEY 5427 y OMNIKEY 5127, son vulnerables a un ataque de tipo CSRF cuando es usado el controlador EEM (Ethernet Emulation Mode). Al persuadir a un usuario autenticado para que visite un sitio Web malicioso, un atacante remoto podría enviar una petición HTTP malformada para cargar un archivo de configuración en el dispositivo. Un atacante podría explotar esta vulnerabilidad para llevar a cabo ataques de tipo cross-site scripting, envenenamiento de la caché web y otras actividades maliciosas

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-03-24 CVE Reserved
  • 2021-03-24 CVE Published
  • 2023-10-29 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Hidglobal
Search vendor "Hidglobal"
 Omnikey 5427 Firmware
Search vendor "Hidglobal" for product "Omnikey 5427 Firmware"
--
Affected
in Hidglobal
Search vendor "Hidglobal"
 Omnikey 5427
Search vendor "Hidglobal" for product "Omnikey 5427"
--
Safe
Hidglobal
Search vendor "Hidglobal"
 Omnikey 5127 Firmware
Search vendor "Hidglobal" for product "Omnikey 5127 Firmware"
--
Affected
in Hidglobal
Search vendor "Hidglobal"
 Omnikey 5127
Search vendor "Hidglobal" for product "Omnikey 5127"
--
Safe