Vulnerabilities > Zkteco > High

DATE CVE VULNERABILITY TITLE RISK
2024-05-30 CVE-2024-35428 Path Traversal vulnerability in Zkteco Zkbio Cvsecurity 6.1.1
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile.
network
low complexity
zkteco CWE-22
7.1
2023-08-03 CVE-2023-38949 Unspecified vulnerability in Zkteco Biotime 8.5.5
An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request.
network
low complexity
zkteco
7.5
2023-08-03 CVE-2023-38950 Path Traversal vulnerability in Zkteco Biotime 8.5.5
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
network
low complexity
zkteco CWE-22
7.5
2023-08-03 CVE-2023-38952 Files or Directories Accessible to External Parties vulnerability in Zkteco Biotime 8.5.5
Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read sensitive backup files and access sensitive information such as user credentials via sending a crafted HTTP request to the static files resources of the system.
network
low complexity
zkteco CWE-552
7.5
2023-08-03 CVE-2023-38955 Exposure of Resource to Wrong Sphere vulnerability in Zkteco Bioaccess IVS 3.3.1
ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to obtain sensitive information about all managed devices, including their IP addresses and device names.
network
low complexity
zkteco CWE-668
7.5
2023-08-03 CVE-2023-38956 Path Traversal vulnerability in Zkteco Bioaccess IVS 3.3.1
A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
network
low complexity
zkteco CWE-22
7.5
2022-12-25 CVE-2022-42953 Forced Browsing vulnerability in Zkteco products
Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs.
network
low complexity
zkteco CWE-425
7.5
2022-12-06 CVE-2021-39434 Weak Password Requirements vulnerability in Zkteco Zktime 11.1.0
A default username and password for an administrator account was discovered in ZKTeco ZKTime 10.0 through 11.1.0, builds 20180901, 20190510.1, 20200309.3, 20200930, 20201231, and 20210220.
network
low complexity
zkteco CWE-521
7.5
2022-10-07 CVE-2022-36635 SQL Injection vulnerability in Zkteco Zkbiosecurity V5000 4.1.3
ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.
network
low complexity
zkteco CWE-89
8.8
2022-10-07 CVE-2022-36634 Incorrect Authorization vulnerability in Zkteco Zkbiosecurity V5000 3.0.5.0R
An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.
network
low complexity
zkteco CWE-863
8.8