CVE-2023-3942

{"id": "CVE-2023-3942", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "vulnerability@kaspersky.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-05-21T13:15:08.580", "references": [{"url": "https://github.com/klsecservices/Advisories/blob/master/K-ZkTeco-2023-005.md", "source": "vulnerability@kaspersky.com"}, {"url": "https://github.com/klsecservices/Advisories/blob/master/K-ZkTeco-2023-005.md", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "vulnerability@kaspersky.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "An 'SQL Injection' vulnerability, due to improper neutralization of special elements used in SQL commands, exists in ZKTeco-based OEM devices. This vulnerability allows an attacker to, in some cases, impersonate another user or perform unauthorized actions. In other instances, it enables the attacker to access user data and system parameters from the database.\nThis issue affects \nZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others)\n\n with firmware \nZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other, Standalone service v. 2.1.6-20200907 and possibly others."}, {"lang": "es", "value": "Existe una vulnerabilidad de 'inyecci\u00f3n SQL', debido a una neutralizaci\u00f3n incorrecta de elementos especiales utilizados en comandos SQL, en dispositivos OEM basados ??en ZKTeco. Esta vulnerabilidad permite a un atacante, en algunos casos, hacerse pasar por otro usuario o realizar acciones no autorizadas. En otros casos, permite al atacante acceder a datos del usuario y par\u00e1metros del sistema desde la base de datos. Este problema afecta a dispositivos OEM basados ??en ZkTeco (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME y posiblemente otros) con firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 y posiblemente otros, servicio independiente v. 2.1 .6-20200907 y posiblemente otros."}], "lastModified": "2024-11-21T08:18:22.263", "sourceIdentifier": "vulnerability@kaspersky.com"}