CVSS: 6.5EPSS: %CPEs: 1EXPL: 1CVE-2024-35429
https://notcve.org/view.php?id=CVE-2024-35429
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord. ZKTeco ZKBio CVSecurity 6.1.1 es vulnerable a Directory Traversal a través de eventRecord. • https://github.com/mrojz/ZKT-Bio-CVSecurity/blob/main/CVE-2024-35429.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-31: Path Traversal: 'dir\..\..\filename' •
CVSS: 7.1EPSS: %CPEs: 1EXPL: 1CVE-2024-35428
https://notcve.org/view.php?id=CVE-2024-35428
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS. ZKTeco ZKBio CVSecurity 6.1.1 es vulnerable a Directory Traversal a través de BaseMediaFile. Un usuario autenticado puede eliminar archivos locales del servidor, lo que puede provocar DoS. • https://github.com/mrojz/ZKT-Bio-CVSecurity/blob/main/CVE-2024-35428.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 1CVE-2024-1706 – ZKTeco ZKBio Access IVS Department Name Search Bar cross site scripting
https://notcve.org/view.php?id=CVE-2024-1706
A vulnerability, which was classified as problematic, has been found in ZKTeco ZKBio Access IVS up to 3.3.2. Affected by this issue is some unknown functionality of the component Department Name Search Bar. The manipulation with the input <marquee>hi leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://gist.githubusercontent.com/whiteman007/8d3a09991de4ef336937ba91c07b7856/raw/adc00538d7a8c3c54bde4797a10d9b6af393711d/gistfile1.txt https://vuldb.com/?ctiid.254396 https://vuldb.com/?id.254396 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4587 – Insecure direct object reference in ZKTeco ZEM800
https://notcve.org/view.php?id=CVE-2023-4587
An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server. ** una vulnerabilidad IDOR se ha encontrado en el producto ZKTeco ZEM800 que afecta a la versión 6.60.Esta vulnerabilidad permite a un atacante local obtener archivos de copia de seguridad de usuarios registrados o archivos de configuración de dispositivos a través de una red local o mediante un servidor VPN. • https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-zkteco-zem800 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38952
https://notcve.org/view.php?id=CVE-2023-38952
Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read sensitive backup files and access sensitive information such as user credentials via sending a crafted HTTP request to the static files resources of the system. • http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38952 • CWE-552: Files or Directories Accessible to External Parties •