Lucene search

INCIBEVULNRICHMENT:CVE-2023-4587

HistorySep 04, 2023 - 11:23 a.m.

CVE-2023-4587 Insecure direct object reference in ZKTeco ZEM800

2023-09-0411:23:06

CWE-639

INCIBE

github.com

cve-2023-4587

idor

zkteco zem800

version 6.60

local attacker

registered user

backup files

device configuration

local network

vpn server

CVSS3

8.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

AI Score

6.5

Confidence

Low

EPSS

Percentile

5.1%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:h:zkteco:zem800:-:*:*:*:*:*:*:*"
    ],
    "vendor": "zkteco",
    "product": "zem800",
    "versions": [
      {
        "status": "affected",
        "version": "6.60"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.incibe.es/en/incibe-cert/notices/aviso/insecure-direct-object-reference-zkteco-zem800

CVSS3

8.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

AI Score

6.5

Confidence

Low

EPSS

Percentile

5.1%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2023-4587