CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2024-6523 – ZKTeco BioTime system-group-add cross site scripting
https://notcve.org/view.php?id=CVE-2024-6523
A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert('XSS')</script> leads to cross site scripting. It is possible to launch the attack remotely. • https://gist.github.com/whiteman007/c8bf92b0294cd2f0cda6bfaca36f8f28 https://vuldb.com/?ctiid.270366 https://vuldb.com/?id.270366 https://vuldb.com/?submit.364104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38952
https://notcve.org/view.php?id=CVE-2023-38952
Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read sensitive backup files and access sensitive information such as user credentials via sending a crafted HTTP request to the static files resources of the system. • http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38952 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38949
https://notcve.org/view.php?id=CVE-2023-38949
An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request. • http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38949 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38951
https://notcve.org/view.php?id=CVE-2023-38951
A path traversal vulnerability in ZKTeco BioTime v8.5.5 allows attackers to write arbitrary files via using a malicious SFTP configuration. • http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38951 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38950
https://notcve.org/view.php?id=CVE-2023-38950
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. • http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38950 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •