// For flags

CVE-2022-36782

Pal Electronics Systems - Pal Gate Authorization Errors

Severity Score

8.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Pal Electronics Systems - Pal Gate Authorization Errors. The vulnerability is an authorization problem in PalGate device management android client app. Gates of bulidings and parking lots with a simple button in any smartphone. The API was found after a decompiling and static research using Jadx, and a dynamic analasys using Frida. The attacker can iterate over all the IOT devices to see every entry and exit, on every gate and device all over the world, he can also scrape the server and create a user's DB with full names and phone number of over 2.8 million users, and to see all of the users' movement in and out of gates, even in real time.

Pal Electronics Systems - Pal Gate. Errores de Autorización. La vulnerabilidad es un problema de autorización en la aplicación cliente androide de administración de dispositivos PalGate. Puertas de edificios y aparcamientos con un simple botón en cualquier smartphone. La API fue encontrada después de una des compilación e investigación estática usando Jadx, y un análisis dinámico usando Frida. El atacante puede iterar sobre todos los dispositivos IOT para visualizar cada entrada y salida, en cada puerta y dispositivo en todo el mundo, también puede raspar el servidor y crear una base de datos de usuarios con nombres completos y número de teléfono de más de 2.8 millones de usuarios, y visualizar todo el movimiento de usuarios dentro y fuera de las puertas, incluso en tiempo real

*Credits: Tal Saadi
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-26 CVE Reserved
  • 2022-09-13 CVE Published
  • 2024-04-03 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
References (1)
URL Tag Source
https://www.gov.il/en/Departments/faq/cve_advisories Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Pal-es
Search vendor "Pal-es"
 Palgate
Search vendor "Pal-es" for product "Palgate"
-android
Affected