go to Content

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center


Saho ADM100&ADM-100FP - Arbitrary File Upload

TVN ID TVN-202308009
CVE ID CVE-2023-38029
CVSS 9.8 (Critical)
Affected Products ADM-100:,,,, Q20100602, T17041702, T18051803, T190
ADM-100FP: Q20100602, T17041702, T18051803, T190
Description Saho’s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files to perform arbitrary system commands or disrupt service.
Solution Contact Saho support team
Credit Li-Fan Cheng、Chih-Che Chang、AnWei Kung(國家資通安全研究院)
Public Date 2023-09-19