CVE-2021-41847

Name of the Vulnerable Software and Affected Versions 3xLogic Infinias Access Control versions 3.x through 6.7.10708.0

Description An issue was discovered affecting physical security, where users with login credentials assigned to a specific zone can send modified HTTP GET and POST requests to view user data, including personal information and Prox card credentials. Additionally, an authorized user of one zone can send API requests to unlock electronic locks associated with zones they are unauthorized to have access to, and create new user logins for zones they were not authorized to access, including the root zone of the software.

Recommendations For versions 3.x through 6.7.10708.0, consider restricting access to API endpoints that allow unlocking electronic locks and creating new user logins, and limit the ability to send modified HTTP requests to authorized zones only. As a temporary workaround, consider disabling the ability to create new user logins for unauthorized zones until a patch is available. Restrict access to sensitive user data, such as personal information and Prox card credentials, to minimize the risk of exploitation.