Vulnerabilities > Zkteco

DATE CVE VULNERABILITY TITLE RISK
2022-11-08 CVE-2022-30515 Missing Authentication for Critical Function vulnerability in Zkteco Biotime 8.5.4/8.5.5
ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration.
network
low complexity
zkteco CWE-306
5.3
2022-10-07 CVE-2022-36635 SQL Injection vulnerability in Zkteco Zkbiosecurity V5000 4.1.3
ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.
network
low complexity
zkteco CWE-89
8.8
2022-10-07 CVE-2022-36634 Incorrect Authorization vulnerability in Zkteco Zkbiosecurity V5000 3.0.5.0R
An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.
network
low complexity
zkteco CWE-863
8.8
2020-08-14 CVE-2020-17474 Insufficient Session Expiration vulnerability in Zkteco Facedepot 7B Firmware and Zkbiosecurity Server
A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.
network
low complexity
zkteco CWE-613
critical
9.8
2020-08-14 CVE-2020-17473 Insufficient Session Expiration vulnerability in Zkteco Facedepot 7B Firmware and Zkbiosecurity Server
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.
network
high complexity
zkteco CWE-613
5.9
2017-12-04 CVE-2017-17057 Cross-site Scripting vulnerability in Zkteco Zktime web 2.0.1.12280
There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280.
network
low complexity
zkteco CWE-79
6.1
2017-12-04 CVE-2017-17056 Cross-Site Request Forgery (CSRF) vulnerability in Zkteco Zktime web 2.0.1.12280
The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the /accounts/password_change/ URI.
network
low complexity
zkteco CWE-352
8.8
2017-09-26 CVE-2017-13129 Cross-Site Request Forgery (CSRF) vulnerability in Zkteco Zktime web 2.0.1.12280
Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2.0.1.12280 allows remote authenticated users to hijack the authentication of administrators for requests that add administrators by leveraging lack of anti-CSRF tokens.
network
low complexity
zkteco CWE-352
8.0
2017-09-21 CVE-2017-14680 Information Exposure vulnerability in Zkteco Zktime web 2.0.1.12280
ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document.
network
low complexity
zkteco CWE-200
7.5