CVE-2023-2904 – This vulnerability in HID SAFE's External Visit... (How to Fix)

Q: What is the severity of CVE-2023-2904?

CVE-2023-2904 has a CVSS score of 7.3 (HIGH). This vulnerability in HID SAFE's External Visitor Manager portal allows authenticated attackers to manipulate visitor IDs in the web API to access other users' personal data. It also enables denial-of-service attacks due to unlimited API requests. Organizations using HID SAFE versions 5.8.0 through 5.11.3 are affected.

📋 TL;DR

This vulnerability in HID SAFE's External Visitor Manager portal allows authenticated attackers to manipulate visitor IDs in the web API to access other users' personal data. It also enables denial-of-service attacks due to unlimited API requests. Organizations using HID SAFE versions 5.8.0 through 5.11.3 are affected.

💻 Affected Systems

Products:

HID SAFE

Versions: 5.8.0 through 5.11.3

Operating Systems: Not specified

Default Config Vulnerable: ⚠️ Yes

Notes: Affects External Visitor Manager portal specifically

📦 What is this software?

Safe by Hidglobal

View all CVEs affecting Safe →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data breach of all visitor personal information and complete service disruption through DoS attacks

🟠

Likely Case

Unauthorized access to visitor personal data and potential service degradation

🟢

If Mitigated

Limited data exposure if proper access controls and rate limiting are implemented

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires valid credentials but exploitation is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.11.4 or later

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-02

Restart Required: Yes

Instructions:

1. Download HID SAFE version 5.11.4 or later from HID support portal. 2. Backup current configuration and data. 3. Apply the update following HID's installation guide. 4. Restart the HID SAFE services.

🔧 Temporary Workarounds

Implement API Rate Limiting

all

Configure web server or application firewall to limit requests per user/session

Restrict External Visitor Manager Access

all

Limit network access to the External Visitor Manager portal to trusted IP ranges only

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual API request patterns
Deploy web application firewall with IDOR protection and rate limiting rules

🔍 How to Verify

Check if Vulnerable:

Check HID SAFE version in administration console or configuration files

Check Version:

Check HID SAFE web interface or consult system documentation

Verify Fix Applied:

Confirm version is 5.11.4 or later and test API parameter manipulation

📡 Detection & Monitoring

Log Indicators:

Multiple rapid API requests from single user
Visitor ID parameter manipulation in API logs
Unauthorized data access attempts

Network Indicators:

Unusual API request patterns to visitor endpoints
High volume of requests to HID SAFE web server

SIEM Query:

source="hid_safe" AND (event_type="api_request" AND (parameter="visitor-id" OR rate_threshold>1000))

📊 Metadata

CVE ID: CVE-2023-2904

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

CWE: CWE-471

Published: June 7, 2023

Last Updated: January 6, 2025

🔗 References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-02 Third Party Advisory,US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-02 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2904, you might also want to check these: