CVE-2020-28333
CRITICALBarco wePresent WiPG-1600W Firmware 2.5.1.8 - Authentication Bypass via SEID Token Exposure
Title source: llmDescription
Barco wePresent WiPG-1600W devices allow Authentication Bypass. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/160161/Barco-wePresent-Authentication-Bypass.html
Third Party Advisory x_refsource_misc
https://korelogic.com/Resources/Advisories/KL-001-2020-006.txt
Scores
CVSS v3
9.8
EPSS
0.0320
EPSS Percentile
86.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-200
CWE-287
Status
published
Products (1)
barco/wepresent_wipg-1600w_firmware
2.5.1.8
Published
Nov 24, 2020
Tracked Since
Feb 18, 2026