CVE-2023-38952

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforc...

CVE-2023-38951

ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 20240617.19506 allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH...

CVE-2023-38952

CVE-2023-38952 affects ZKTeco BioTime

CVE-2023-38949

CVE-2023-38949 affects ZKTeco BioTime v8.5.5 via a hidden API in the web interface that can be abused by unauthenticated attackers to reset the Administrator password through a crafted request. The root cause is an exposed, unauthenticated password-reset pathway in the BioTime web platform; impac...

CVE-2023-38950

ZKTeco BioTime v8.5.5 is affected by a path traversal vulnerability in the iclock API that allows unauthenticated attackers to read arbitrary files by supplying a crafted payload. This is due to insufficient path validation in the iclock API parameter handling. The issue is fixed in ZKBioTime ver...

CVE-2023-38952

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforc...

ZKTeco BioTime 安全漏洞

ZKTeco BioTime is a powerful web-based time and attendance management software from ZKTeco, China. A password reset vulnerability exists in ZKTeco BioTime, which can be exploited by an attacker to arbitrarily reset the administrator's password via a crafted web request...

CVE-2023-38949

An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request...

CVE-2023-38950

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime. Recent assessments: Assessed Attacker Value: 0 Assessed...

CVE-2023-38951

CVE-2023-38951 affects ZKTeco BioTime versions 8.5.5 through 9.x prior to 9.0.1. A path traversal flaw in the /base/sftpsetting/ endpoint allows an authenticated attacker to create or overwrite arbitrary server files by abusing the Username field and insufficient input sanitization on the SSH Key...

CVE-2023-38950

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime...

Zkteco BioTime Path Traversal Vulnerability

ZKTeco BioTime is a powerful web-based time and attendance management software from the Chinese company ZKTeco. A path traversal vulnerability exists in ZKTeco BioTime version v8.5.5, which originates from a vulnerability that allows an unauthenticated attacker to read arbitrary files by providin...

PT-2023-4124

Name of the Vulnerable Software and Affected Versions ZKTeco BioTime version 8.5.5 Description The issue is related to insecure access control in the ZKTeco BioTime platform, which can be exploited by sending a specially crafted HTTP request. This allows an unauthenticated attacker to gain...

PT-2023-4123 · Zkteco · Zkteco Biotime

Name of the Vulnerable Software and Affected Versions: ZKTeco BioTime version 8.5.5 Description: The issue is related to a hidden API in the ZKTeco BioTime platform, which allows unauthenticated attackers to reset the Administrator password via a crafted web request. This can be exploited by a...

PT-2023-4122 · Zkteco · Zkteco Biotime

Name of the Vulnerable Software and Affected Versions: ZKTeco BioTime version 8.5.5 Description: The issue is related to a path traversal vulnerability in the implementation of the SFTP protocol, which can be exploited by an attacker to write arbitrary files. This can be achieved by using a...

PT-2023-4121 · Zkteco · Zkteco Biotime

Name of the Vulnerable Software and Affected Versions: ZKTeco BioTime version 8.5.5 Description: A path traversal vulnerability in the iclock API allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. The vulnerability is related to errors in processing relative...

Zkteco BioTime 安全漏洞

Zkteco BioTime is a powerful web-based time and attendance management software from the Chinese company Zkteco. A security vulnerability exists in Zkteco BioTime, which can be exploited by attackers to obtain sensitive information...

CVE-2022-38801

In Zkteco BioTime 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting...

CVE-2022-38802

Zkteco BioTime 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF...

CVE-2022-38803

Zkteco BioTime 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF...