CVE-2023-28809 HIGH

CVE-2023-28809

Vendor Hikvision

Product DS-K1T804AXX

Weakness CWE-284

Published June 15, 2023

Last update December 18, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Some access control products are vulnerable to a session hijacking attack because the product does not update the session ID after a user successfully logs in. To exploit the vulnerability, attackers have to request the session ID at the same time as a valid user logs in, and gain device operation permissions by forging the IP and session ID of an authenticated user.

Key dates

02Disclosure timeline

June 15, 2023 CVE published

December 18, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-28809 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

Identifiers

CVE CVE-2023-28809

CWE CWE-284

CVSS 7.5 / HIGH

Affected versions

Vendor Hikvision

Product DS-K1T804AXX

Affected ≥ V1.4.0_build221212 and < V1.4.0_build221212

Vendor Hikvision

Product DS-K1T341AXX

Affected ≥ V3.2.30_build221223 and < V3.2.30_build221223

Vendor Hikvision

Product DS-K1T671XXX

Affected ≥ V3.2.30_build221223 and < V3.2.30_build221223

Vendor Hikvision

Product DS-K1T343XXX

Affected ≥ V3.14.0_build230117 and < V3.14.0_build230117

Vendor Hikvision

Product DS-K1T341C

Affected ≥ V3.3.8_build230112 and < V3.3.8_build230112

Vendor Hikvision

Product DS-K1T320XXX

Affected ≥ V3.5.0_build220706 and < V3.5.0_build220706

CVE-2023-28809

01Description

02Disclosure timeline

03References

04Related CVE