114 matches found
CVE-2016-20026
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP...
EUVD-2016-10811
ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling...
EUVD-2016-10809
ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in...
EUVD-2016-10815
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...
EUVD-2016-10813
ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipulate path parameters to bypass access controls and retrieve sensitive information including...
EUVD-2016-10807
ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP...
CVE-2016-20028
ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling...
CVE-2016-20031
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp method which treats IPv6 loopback address...
CVE-2016-20029
ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipulate path parameters to bypass access controls and retrieve sensitive information including...
CVE-2016-20030
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...
ZKTeco ZKBioSecurity 信任管理问题漏洞
ZKTeco ZKBioSecurity is a web-based integrated platform developed by ZKTeco Corporation in China. Version 3.0 of ZKTeco ZKBioSecurity contains a vulnerability related to trust management. This vulnerability stems from hard-coded credentials, which may allow unverified attackers to access the...
ZKTeco ZKBioSecurity 跨站请求伪造漏洞
ZKTeco ZKBioSecurity is a web-based integrated platform developed by ZKTeco Corporation in China. Version 3.0 of ZKTeco ZKBioSecurity contains a cross-site request forgeing vulnerability. This vulnerability stems from cross-site request forgery, allowing attackers to trick users into accessing...
ZKTeco ZKBioSecurity 信任管理问题漏洞
ZKTeco ZKBioSecurity is a web-based integrated platform developed by ZKTeco Corporation in China. Version 3.0 of ZKTeco ZKBioSecurity contains a vulnerability related to trust management. This vulnerability stems from local authorization bypassing, which may allow attackers to authenticate withou...
ZKTeco ZKBioSecurity 跨站脚本漏洞
ZKTeco ZKBioSecurity is a web-based integrated platform developed by ZKTeco Corporation in China. Version 3.0 of ZKTeco ZKBioSecurity contains a cross-site scripting vulnerability. This vulnerability arises from improper handling of multiple parameters, which may allow attackers to inject malicio...
ZKTeco ZKBioSecurity 安全漏洞
ZKTeco ZKBioSecurity is a web-based integrated platform developed by ZKTeco Corporation in China. Version 3.0 of ZKTeco ZKBioSecurity contains security vulnerabilities. These vulnerabilities stem from user enumeration, and could allow unverified attackers to discover valid usernames by submitting...
ZKTeco ZKBioSecurity 安全漏洞
ZKTeco ZKBioSecurity is a web-based integrated platform developed by ZKTeco in China. Version 3.0 of ZKTeco ZKBioSecurity contains a security vulnerability. This vulnerability stems from improper handling of file paths, which may allow attackers to access arbitrary files by modifying file paths...
CVE-2016-20031 ZKTeco ZKBioSecurity 3.0 Local Authorization Bypass via visLogin.jsp
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp method which treats IPv6 loopback address...
CVE-2016-20031
CVE-2016-20031 affects ZKTeco ZKBioSecurity 3.0 (visLogin.jsp). The vulnerability enables a local authorization bypass by spoofing localhost requests; EnvironmentUtil.getClientIp() maps IPv6 loopback 0:0:0:0:0:0:0:1 to 127.0.0.1 and uses that IP as the username with a hardcoded password (123456) ...
CVE-2016-20031 ZKTeco ZKBioSecurity 3.0 Local Authorization Bypass via visLogin.jsp
ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp method which treats IPv6 loopback address...
CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction
ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...