Filtered by vendor Zkteco
Subscriptions
Total
40 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-35432 | 1 Zkteco | 1 Zkbio Cvsecurity | 2025-02-13 | 6.1 Medium |
| ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting. | ||||
| CVE-2024-35431 | 1 Zkteco | 1 Zkbio Cvsecurity | 2025-02-13 | 7.5 High |
| ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. | ||||
| CVE-2024-35430 | 1 Zkteco | 1 Zkbio Cvsecurity | 2025-02-13 | 8.1 High |
| In ZKTeco ZKBio CVSecurity v6.1.1 an authenticated user can bypass password checks while exporting data from the application. | ||||
| CVE-2024-35429 | 1 Zkteco | 1 Zkbio Cvsecurity | 2025-02-13 | 6.5 Medium |
| ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord. | ||||
| CVE-2024-1706 | 1 Zkteco | 1 Zkbio Access Ivs | 2025-02-12 | 3.5 Low |
| A vulnerability, which was classified as problematic, has been found in ZKTeco ZKBio Access IVS up to 3.3.2. Affected by this issue is some unknown functionality of the component Department Name Search Bar. The manipulation with the input <marquee>hi leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254396. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-11049 | 1 Zkteco | 1 Zkbio Time | 2024-11-23 | 3.7 Low |
| A vulnerability classified as problematic has been found in ZKTeco ZKBio Time 9.0.1. Affected is an unknown function of the file /auth_files/photo/ of the component Image File Handler. The manipulation leads to direct request. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-6523 | 1 Zkteco | 1 Biotime | 2024-11-21 | 3.5 Low |
| A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert('XSS')</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-6005 | 1 Zkteco | 1 Zkbio Cvsecurity V5000 | 2024-11-21 | 3.5 Low |
| A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. The manipulation of the argument Department Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268693 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-36526 | 1 Zkteco | 1 Zkbio Cvsecurity | 2024-11-21 | 9.8 Critical |
| ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key. | ||||
| CVE-2023-4587 | 1 Zkteco | 2 Zem800, Zem800 Firmware | 2024-11-21 | 8.3 High |
| An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server. | ||||
| CVE-2023-38958 | 1 Zkteco | 1 Bioaccess Ivs | 2024-11-21 | 5.3 Medium |
| An access control issue in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to arbitrarily close and open the doors managed by the platform remotely via sending a crafted web request. | ||||
| CVE-2023-38956 | 1 Zkteco | 1 Bioaccess Ivs | 2024-11-21 | 7.5 High |
| A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | ||||
| CVE-2023-38955 | 1 Zkteco | 1 Bioaccess Ivs | 2024-11-21 | 7.5 High |
| ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to obtain sensitive information about all managed devices, including their IP addresses and device names. | ||||
| CVE-2023-38954 | 1 Zkteco | 1 Bioaccess Ivs | 2024-11-21 | 9.8 Critical |
| ZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability. | ||||
| CVE-2023-38949 | 1 Zkteco | 1 Biotime | 2024-11-21 | 7.5 High |
| An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request. | ||||
| CVE-2022-36635 | 1 Zkteco | 1 Zkbiosecurity V5000 | 2024-11-21 | 8.8 High |
| ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do. | ||||
| CVE-2022-36634 | 1 Zkteco | 1 Zkbiosecurity V5000 | 2024-11-21 | 8.8 High |
| An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request. | ||||
| CVE-2020-17474 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-11-21 | 9.8 Critical |
| A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database. | ||||
| CVE-2020-17473 | 1 Zkteco | 3 Facedepot 7b, Facedepot 7b Firmware, Zkbiosecurity Server | 2024-11-21 | 5.9 Medium |
| Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server. | ||||
| CVE-2023-51157 | 1 Zkteco | 2 Wdms, Wdms Pro | 2024-10-02 | 5.4 Medium |
| Cross Site Scripting vulnerability in ZKTeco WDMS v.5.1.3 Pro allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script to the Emp Name parameter. | ||||