Vulnerabilities > Zkteco > Biotime
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-05 | CVE-2024-6523 | Cross-site Scripting vulnerability in Zkteco Biotime 8.5.3/8.5.4/8.5.5 A vulnerability was found in ZKTeco BioTime up to 9.5.2. | 5.4 |
| 2023-08-03 | CVE-2023-38949 | Unspecified vulnerability in Zkteco Biotime 8.5.5 An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request. | 7.5 |
| 2023-08-03 | CVE-2023-38950 | Path Traversal vulnerability in Zkteco Biotime 8.5.5 A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | 7.5 |
| 2023-08-03 | CVE-2023-38951 | Path Traversal vulnerability in Zkteco Biotime 8.5.5 ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. | 9.8 |
| 2023-08-03 | CVE-2023-38952 | Files or Directories Accessible to External Parties vulnerability in Zkteco Biotime 8.5.5 Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. | 7.5 |
| 2022-11-30 | CVE-2022-38801 | Cross-site Scripting vulnerability in Zkteco Biotime 8.5.3 In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting. | 5.4 |
| 2022-11-30 | CVE-2022-38802 | Cross-site Scripting vulnerability in Zkteco Biotime 8.5.3 Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. | 6.2 |
| 2022-11-30 | CVE-2022-38803 | Cross-site Scripting vulnerability in Zkteco Biotime 8.5.3 Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. | 6.8 |
| 2022-11-08 | CVE-2022-30515 | Missing Authentication for Critical Function vulnerability in Zkteco Biotime 8.5.4/8.5.5 ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration. | 5.3 |