CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4587 – Insecure direct object reference in ZKTeco ZEM800
https://notcve.org/view.php?id=CVE-2023-4587
An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server. ** una vulnerabilidad IDOR se ha encontrado en el producto ZKTeco ZEM800 que afecta a la versión 6.60.Esta vulnerabilidad permite a un atacante local obtener archivos de copia de seguridad de usuarios registrados o archivos de configuración de dispositivos a través de una red local o mediante un servidor VPN. • https://www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-zkteco-zem800 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 3%CPEs: 20EXPL: 3CVE-2022-42953 – ZKTeco ZEM/ZMM 8.88 - Missing Authentication
https://notcve.org/view.php?id=CVE-2022-42953
Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210). • https://www.exploit-db.com/exploits/51112 https://seclists.org/fulldisclosure/2022/Oct/23 https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses • CWE-425: Direct Request ('Forced Browsing') •