CVE-2023-2904: 
NixOS vulnerability analysis and mitigation

The External Visitor Manager portal of HID's SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). This vulnerability was assigned CVE-2023-2904 and received a CVSS v3.1 base score of 7.3 (HIGH) (CISA Advisory).

The vulnerability allows an attacker to log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API. The vulnerability has been classified as CWE-471 (Modification of Assumed-Immutable Data). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H, indicating network accessibility, low attack complexity, and required low privileges with user interaction (NVD).

Successful exploitation of this vulnerability could result in exposure of personal data of other users and potentially create a denial-of-service condition. There is no limit on the number of requests that can be made to the HID SAFE Web Server, which could be exploited to create service disruptions (CISA Advisory).

According to HID Global, the number of affected systems is limited and all affected systems have been patched. The External Visitor Management feature is licensed and deployed separately from the HID SAFE core software, and users not using this feature are not affected (CISA Advisory).