Control Id Idsecure
Monthly
ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthenticated remote attackers to execute arbitrary SQL queries, potentially leaking sensitive information or modifying database contents. The CVSS 9.1 score reflects the critical nature (high confidentiality and integrity impact), though availability is not directly affected. Active exploitation status and proof-of-concept availability cannot be confirmed from provided data, but the unauthenticated, network-accessible attack vector makes this a high-priority vulnerability.
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary requests from the vulnerable server to internal or external systems, potentially exposing sensitive information. The CVSS 7.5 score reflects the high confidentiality impact and network-accessible attack vector, though integrity and availability are not compromised. This vulnerability requires immediate patching as it requires no authentication or user interaction.
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain an improper authentication vulnerability (CWE-287) that allows unauthenticated network attackers to completely bypass authentication mechanisms and gain unauthorized permissions within the application. With a CVSS 9.8 score reflecting network-accessible, low-complexity exploitation requiring no user interaction or privileges, this represents a critical remote authentication bypass affecting all confidentiality, integrity, and availability of the system. The vulnerability's presence in a widely-deployed identity and access control product makes this a high-priority threat requiring immediate patching.
A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to write PHP files on the server's root directory, resulting in remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An uncaught exception vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to cause the main web server of IDSecure to fault and crash, causing a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to users accessing these API routes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ControlID iDSecure On-premises versions 4.7.48.0 and prior contain SQL injection vulnerabilities that allow unauthenticated remote attackers to execute arbitrary SQL queries, potentially leaking sensitive information or modifying database contents. The CVSS 9.1 score reflects the critical nature (high confidentiality and integrity impact), though availability is not directly affected. Active exploitation status and proof-of-concept availability cannot be confirmed from provided data, but the unauthenticated, network-accessible attack vector makes this a high-priority vulnerability.
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary requests from the vulnerable server to internal or external systems, potentially exposing sensitive information. The CVSS 7.5 score reflects the high confidentiality impact and network-accessible attack vector, though integrity and availability are not compromised. This vulnerability requires immediate patching as it requires no authentication or user interaction.
ControlID iDSecure On-premises versions 4.7.48.0 and earlier contain an improper authentication vulnerability (CWE-287) that allows unauthenticated network attackers to completely bypass authentication mechanisms and gain unauthorized permissions within the application. With a CVSS 9.8 score reflecting network-accessible, low-complexity exploitation requiring no user interaction or privileges, this represents a critical remote authentication bypass affecting all confidentiality, integrity, and availability of the system. The vulnerability's presence in a widely-deployed identity and access control product makes this a high-priority threat requiring immediate patching.
A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing unauthenticated attackers to write PHP files on the server's root directory, resulting in remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An uncaught exception vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to cause the main web server of IDSecure to fault and crash, causing a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfiltrating sensitive information and passwords to users accessing these API routes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in Control iD iDSecure 4.7.29.1 and classified as problematic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.