Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38950 | 1 Zkteco | 1 Biotime | 2025-05-21 | N/A | 7.5 HIGH |
| A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | |||||
| CVE-2023-38951 | 1 Zkteco | 1 Biotime | 2025-05-19 | N/A | 9.8 CRITICAL |
| ZKTeco BioTime version 8.5.5 through 9.0.1 allows authenticated attackers to create or overwrite arbitrary files on the server by making specially crafted requests to '/base/sftpsetting/' endpoints that abuse a path traversal issue in the 'Username' field and a lack of input sanitization on the 'SSH Key' field. Overwriting specific files may lead to arbitrary code execution as the 'NT AUTHORITY\SYSTEM' user. | |||||
| CVE-2023-38952 | 1 Zkteco | 1 Biotime | 2025-05-19 | N/A | 7.5 HIGH |
| Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints. | |||||
| CVE-2022-30515 | 1 Zkteco | 1 Biotime | 2025-05-01 | N/A | 5.3 MEDIUM |
| ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration. | |||||
| CVE-2022-38803 | 1 Zkteco | 1 Biotime | 2025-04-24 | N/A | 6.8 MEDIUM |
| Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF | |||||
| CVE-2022-38802 | 1 Zkteco | 1 Biotime | 2025-04-24 | N/A | 6.2 MEDIUM |
| Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF | |||||
| CVE-2022-38801 | 1 Zkteco | 1 Biotime | 2025-04-24 | N/A | 5.4 MEDIUM |
| In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting. | |||||
| CVE-2023-51141 | 1 Zkteco | 1 Biotime | 2025-04-18 | N/A | 6.5 MEDIUM |
| An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component | |||||
| CVE-2023-51142 | 1 Zkteco | 1 Biotime | 2025-04-18 | N/A | 7.5 HIGH |
| An issue in ZKTeco BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information. | |||||
| CVE-2024-6523 | 1 Zkteco | 1 Biotime | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert('XSS')</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-38949 | 1 Zkteco | 1 Biotime | 2024-11-21 | N/A | 7.5 HIGH |
| An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request. | |||||