CVE-2023-38029
CRITICALSaho Adm-100fp Firmware - Unrestricted File Upload
Title source: ruleDescription
Saho’s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files to perform arbitrary system commands or disrupt service.
References (1)
Core 1
Core References
Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-7336-35a94-1.html
Scores
CVSS v3
9.8
EPSS
0.0028
EPSS Percentile
51.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (12)
saho/adm-100_firmware
0.0.4.0
saho/adm-100_firmware
0.0.4.3
saho/adm-100_firmware
0.0.4.6
saho/adm-100_firmware
0.0.4.8
saho/adm-100_firmware
q20100602
saho/adm-100_firmware
t190
saho/adm-100_firmware
t17041702
saho/adm-100_firmware
t18051803
saho/adm-100fp_firmware
q20100602
saho/adm-100fp_firmware
t190
... and 2 more
Published
Aug 28, 2023
Tracked Since
Feb 18, 2026