CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2017-13129 – ZKTime Web Software 2.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2017-13129
Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2.0.1.12280 allows remote authenticated users to hijack the authentication of administrators for requests that add administrators by leveraging lack of anti-CSRF tokens. Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la versión 2.0.1.12280 de ZKTeco ZKTime Web permite que los usuarios autenticados remotos secuestren la autenticación de los administradores para peticiones que añadan administradores aprovechando la falta de tokens anti-CSRF. ZKTime Web Software version 2.0 suffers from a cross site request forgery vulnerability. • https://www.exploit-db.com/exploits/43018 http://seclists.org/bugtraq/2017/Sep/19 http://seclists.org/fulldisclosure/2017/Sep/38 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 6%CPEs: 1EXPL: 3CVE-2017-14680 – ZKTime Web Software 2.0 - Improper Access Restrictions
https://notcve.org/view.php?id=CVE-2017-14680
ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document. ZKTeco ZKTime Web 2.0.1.12280 permite que los atacantes remotos obtengan metadatos sensibles de los empleados mediante una petición directa de un documento PDF. ZKTime Web Software version 2.0 suffers from an insecure direct object reference vulnerability. • https://www.exploit-db.com/exploits/43019 http://seclists.org/bugtraq/2017/Sep/20 http://seclists.org/fulldisclosure/2017/Sep/39 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •