Zkteco: community verdicts
11 notable / known-exploited Zkteco CVEs the community has triaged.
- CVE-2023-38950HIGH 7.5KEVEPSS 85%
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
- CVE-2022-36635HIGH 8.8EPSS 17%
ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.
- CVE-2023-38952HIGH 7.5Real · low riskEPSS 2%
Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.
- CVE-2022-36634HIGH 8.8Real · low riskEPSS 1%
An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.
- CVE-2023-51142HIGH 7.5Real · low riskEPSS 1%
An issue in ZKTeco BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information.
- CVE-2023-51141MED 6.5EPSS 1%
An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component
- CVE-2023-38956HIGH 7.5Real · low riskEPSS 1%
A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
- CVE-2023-38954CRIT 9.8Real · low riskEPSS 1%
ZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability.
- CVE-2023-38955HIGH 7.5Real · low riskEPSS 1%
ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to obtain sensitive information about all managed devices, including their IP addresses and device names.
- CVE-2023-38949HIGH 7.5Real · low riskEPSS 0%
An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request.
- CVE-2023-38958MED 5.3EPSS 0%
An access control issue in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to arbitrarily close and open the doors managed by the platform remotely via sending a crafted web request.