Unauthenticated SOAP API in dormakaba Kaba exos 9300

On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards.

N/A

关键功能的认证机制缺失

Dormakaba exos 9300 安全漏洞

Dormakaba exos 9300是美国Dormakaba公司的一个出入库控制与安全管理系统。 Dormakaba exos 9300存在安全漏洞，该漏洞源于SOAP API无需身份验证，可能导致创建任意访问日志事件或查询已注册芯片卡关联的2FA PIN。

N/A

N/A