Lucene search

K
cve[email protected]CVE-2023-3942
HistoryMay 21, 2024 - 1:15 p.m.

CVE-2023-3942

2024-05-2113:15:08
CWE-89
web.nvd.nist.gov
30
sql injection
zkteco
oem devices
user data
system parameters
firmware
nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

An ‘SQL Injection’ vulnerability, due to improper neutralization of special elements used in SQL commands, exists in ZKTeco-based OEM devices. This vulnerability allows an attacker to, in some cases, impersonate another user or perform unauthorized actions. In other instances, it enables the attacker to access user data and system parameters from the database.
This issue affects
ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others)

with firmware
ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other, Standalone service v. 2.1.6-20200907 and possibly others.

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "ZkTeco-based OEM devices with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0, Standalone service v. 2.1.6-20200907",
    "vendor": "ZkTeco",
    "versions": [
      {
        "status": "affected",
        "version": "ZAM170-NF-1.8.25-7354-Ver1.0.0"
      },
      {
        "status": "affected",
        "version": "Standalone service v. 2.1.6-20200907"
      }
    ]
  }
]

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%