Zkteco: Security Vulnerabilities
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS.
CVSS Score
7.1
EPSS Score
0.008
Published
2024-05-30
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord.
CVSS Score
6.5
EPSS Score
0.004
Published
2024-05-30
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1.
CVSS Score
7.5
EPSS Score
0.017
Published
2024-05-30
In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass password checks while exporting data from the application.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-05-30
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-05-30
An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component
CVSS Score
6.5
EPSS Score
0.002
Published
2024-04-11
An issue in ZKTeco BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-04-11
A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1.3 Build 2025-05-26-1605 is able to address this issue. It is recommended to upgrade the affected component.
CVSS Score
4.3
EPSS Score
0.004
Published
2024-03-08
ZKteco ZKBio WDMS before 9.0.2 Build 20250526 allows an attacker to download a database backup via the /files/backup/ component because the filename is based on a predictable timestamp.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-02-23
A vulnerability was determined in ZKTeco ZKBio Access IVS up to 3.3.2. This impacts an unknown function of the component Department Name Search Bar. This manipulation with the input <marquee>hi causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor explains: "ZKBio Access IVS is no longer maintained and the product has been replaced by ZKBio CVAccess, it is recommended to replace it with the latest version of ZKBio CVAccess." This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Score
3.5
EPSS Score
0.001
Published
2024-02-21