Vulnerabilities > Zkteco > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-14 | CVE-2020-17473 | Insufficient Session Expiration vulnerability in Zkteco Facedepot 7B Firmware and Zkbiosecurity Server Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server. | 4.3 |
| 2017-12-04 | CVE-2017-17057 | Cross-site Scripting vulnerability in Zkteco Zktime web 2.0.1.12280 There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. | 4.3 |
| 2017-12-04 | CVE-2017-17056 | Cross-Site Request Forgery (CSRF) vulnerability in Zkteco Zktime web 2.0.1.12280 The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the /accounts/password_change/ URI. | 6.8 |
| 2017-09-26 | CVE-2017-13129 | Cross-Site Request Forgery (CSRF) vulnerability in Zkteco Zktime web 2.0.1.12280 Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2.0.1.12280 allows remote authenticated users to hijack the authentication of administrators for requests that add administrators by leveraging lack of anti-CSRF tokens. | 6.0 |
| 2017-09-21 | CVE-2017-14680 | Information Exposure vulnerability in Zkteco Zktime web 2.0.1.12280 ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document. | 5.0 |