CVE-2020-36283

Name of the Vulnerable Software and Affected Versions: HID OMNIKEY 5427 and HID OMNIKEY 5127 readers (affected versions not specified)

Description: The issue is related to insufficient authentication of executed requests in the EEM driver of the HID OMNIKEY 5427 and HID OMNIKEY 5127 smart card reader devices. This can be exploited by a remote attacker to conduct cross-site scripting attacks by sending specially crafted HTTP requests. An attacker could also upload a configuration file to the device by persuading an authenticated user to visit a malicious website, potentially leading to web cache poisoning and other malicious activities.

Recommendations: For HID OMNIKEY 5427 and HID OMNIKEY 5127 readers, consider disabling the EEM driver until a patch is available to prevent exploitation. Restrict access to the device's configuration upload feature to minimize the risk of malicious configuration file uploads. Avoid using the device in environments where it may be exposed to malicious HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.