CVE-2023-6260

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Brivo ACS100, ACS300 allows OS Command Injection, Bypassing Physical Security.This issue affects ACS100 (Network Adjacent Access), ACS300 (Physical Access): from 5.2.4 before 6.2.4.3.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://sra.io/advisories/	Third Party Advisory
https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3	Release Notes
https://sra.io/advisories/	Third Party Advisory
https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3	Release Notes

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:brivo:acs100_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:brivo:acs100:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:brivo:acs300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:brivo:acs300:-:*:*:*:*:*:*:*

History

05 Feb 2025, 22:35

Type	Values Removed	Values Added
CPE		cpe:2.3:o:brivo:acs100_firmware:::::::: cpe:2.3:h:brivo:acs100:-:::::::* cpe:2.3:h:brivo:acs300:-:::::::* cpe:2.3:o:brivo:acs300_firmware::::::::
First Time		Brivo acs100 Firmware Brivo acs300 Brivo Brivo acs100 Brivo acs300 Firmware
References	~~() https://sra.io/advisories/ -~~	() https://sra.io/advisories/ - Third Party Advisory
References	~~() https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3 -~~	() https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3 - Release Notes

Information

Published : 2024-02-19 22:15

Updated : 2025-02-05 22:35

NVD link : CVE-2023-6260

Mitre link : CVE-2023-6260

CVE.ORG link : CVE-2023-6260

JSON object : View

Products Affected

brivo

acs100_firmware
acs100
acs300_firmware
acs300

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2023-6260", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-02-19T22:15:48.460", "references": [{"url": "https://sra.io/advisories/", "tags": ["Third Party Advisory"], "source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8"}, {"url": "https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3", "tags": ["Release Notes"], "source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8"}, {"url": "https://sra.io/advisories/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.brivo.com/l/en/article/g82txdwepa-brivo-firmware-release-notes#brivo_firmware_release_6_2_4_3", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "57dba5dd-1a03-47f6-8b36-e84e47d335d8", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Brivo ACS100, ACS300 allows OS Command Injection, Bypassing Physical Security.This issue affects ACS100 (Network Adjacent Access), ACS300 (Physical Access): from 5.2.4 before 6.2.4.3.\n\n"}, {"lang": "es", "value": "Neutralizaci\u00f3n inadecuada de elementos especiales utilizados en una vulnerabilidad de comando del sistema operativo ('inyecci\u00f3n de comando del sistema operativo') en Brivo ACS100, ACS300 permite la inyecci\u00f3n de comandos del sistema operativo, evitando la seguridad f\u00edsica. Este problema afecta a ACS100 (acceso adyacente a la red), ACS300 (acceso f\u00edsico): desde 5.2 .4 antes del 6.2.4.3."}], "lastModified": "2025-02-05T22:35:57.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:brivo:acs100_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80906C11-31EB-496E-A5E6-CCC61AA1AF41", "versionEndIncluding": "6.2.4.3", "versionStartIncluding": "5.2.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:brivo:acs100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B21FAE09-C308-4E75-87C0-15F6637D139C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:brivo:acs300_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E455B577-1BD1-45CA-B744-4459B18B9E99", "versionEndExcluding": "6.2.4.3", "versionStartIncluding": "5.2.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:brivo:acs300:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DC69BFA4-EAD9-4C60-BE90-5722C07F2B65"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "57dba5dd-1a03-47f6-8b36-e84e47d335d8"}