Adam Foster

**Name of the Vulnerable Software and Affected Versions** Kastle Systems firmware prior to May 1, 2024 **Description** The issue concerns a hard-coded credential in the firmware, which, if accessed, may allow an attacker to access sensitive information. **Recommendations** For Kastle Systems firmware prior to May 1, 2024, consider updating to a version released after May 1, 2024, to remove the hard-coded credential and mitigate the risk of sensitive information access. As a temporary workaround, restrict access to the firmware until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Kastle Systems firmware prior to May 1, 2024 **Description** The issue concerns the storage of machine credentials in cleartext, which may allow an attacker to access sensitive information. **Recommendations** For Kastle Systems firmware prior to May 1, 2024, update to a version released after May 1, 2024, to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Evolution Controller versions 2.04.560.31.03.2024 and below **Description** The Web interface of the Evolution Controller does not properly sanitize user input, allowing an unauthenticated attacker to crash the controller software. **Recommendations** For versions 2.04.560.31.03.2024 and below, consider disabling the Web interface until a patch is available to prevent potential crashes by unauthenticated attackers. Restrict access to the Web interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evolution Controller versions 2.04.560.31.03.2024 and below **Description** The Web interface of Evolution Controller contains poorly configured access control on the `DESKTOP EDIT USER GET CARD` endpoint, allowing an unauthenticated attacker to return the card value data of any user. **Recommendations** For Evolution Controller versions 2.04.560.31.03.2024 and below, consider restricting access to the `DESKTOP EDIT USER GET CARD` endpoint until a patch is available. As a temporary workaround, limit the use of the Web interface to authorized personnel only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evolution Controller versions 2.04.560.31.03.2024 and below **Description** The issue concerns poorly configured access control on the `DESKTOP EDIT USER GET PIN FIELDS` endpoint, allowing an unauthenticated attacker to retrieve the pin value of any user. **Recommendations** For versions 2.04.560.31.03.2024 and below, consider restricting access to the `DESKTOP EDIT USER GET PIN FIELDS` endpoint until a proper fix is applied. As a temporary workaround, limit the functionality that relies on this endpoint to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evolution Controller versions 2.04.560.31.03.2024 and below **Description** The Web interface of Evolution Controller contains poorly configured access control, allowing an unauthenticated attacker to update and add user profiles within the application, and gain full access to the site. This issue also affects the `DESKTOP EDIT USER GET KEYS FIELDS` component, enabling an attacker to return the keys value of any user. **Recommendations** For Evolution Controller versions 2.04.560.31.03.2024 and below, consider restricting access to the Web interface until a patch is available. As a temporary workaround, limit the functionality of the `DESKTOP EDIT USER GET KEYS FIELDS` component to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evolution Controller versions 2.04.560.31.03.2024 and below **Description** The issue concerns poorly configured access control on the `DESKTOP EDIT USER GET ABACARD FIELDS` endpoint, allowing an unauthenticated attacker to return the `abacard` field of any user. **Recommendations** For Evolution Controller versions 2.04.560.31.03.2024 and below, consider restricting access to the `DESKTOP EDIT USER GET ABACARD FIELDS` endpoint until a proper fix is applied. As a temporary workaround, limit the exposure of the `abacard` field to minimize the risk of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evolution Controller versions 2.04.560.31.03.2024 and below **Description** The Web interface of Evolution Controller contains poorly configured access control on the "MOBILE GET USERS LIST" endpoint, allowing an unauthenticated attacker to enumerate all users and their access levels. **Recommendations** For versions 2.04.560.31.03.2024 and below, consider restricting access to the "MOBILE GET USERS LIST" endpoint until a patch is available. As a temporary workaround, limit the information disclosed by the "MOBILE GET USERS LIST" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evolution Controller versions 2.04.560.31.03.2024 and below **Description** The issue concerns poorly configured access control on `DESKTOP EDIT USER GET KEYS FIELDS` in the Web interface, allowing an unauthenticated attacker to return the keys value of any user. **Recommendations** For Evolution Controller versions 2.04.560.31.03.2024 and below, consider restricting access to the `DESKTOP EDIT USER GET KEYS FIELDS` until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Evolution Controller versions 2.04.560.31.03.2024 and below **Description** The Web interface of Evolution Controller uses poor session management, allowing an unauthenticated attacker to access administrator functionality if any other user is already signed in. **Recommendations** For Evolution Controller versions 2.04.560.31.03.2024 and below, consider restricting access to the Web interface until a patch is available, and ensure that all users sign out when finished using the system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.