Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Biotime
(Zkteco)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 14 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-04-11 | CVE-2023-51142 | An issue in ZKTeco BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information. | Biotime | N/A | ||
| 2023-08-03 | CVE-2023-38951 | ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM. | Biotime | 9.8 | ||
| 2023-08-03 | CVE-2023-38952 | Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints. | Biotime | 7.5 | ||
| 2023-08-03 | CVE-2023-38950 | A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | Biotime | 7.5 | ||
| 2023-08-03 | CVE-2023-38952 | Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read sensitive backup files and access sensitive information such as user credentials via sending a crafted HTTP request to the static files resources of the system. | Biotime | 7.5 | ||
| 2023-08-03 | CVE-2023-38950 | A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | Biotime | 7.5 | ||
| 2023-08-03 | CVE-2023-38951 | A path traversal vulnerability in ZKTeco BioTime v8.5.5 allows attackers to write arbitrary files via using a malicious SFTP configuration. | Biotime | 9.8 | ||
| 2023-08-03 | CVE-2023-38952 | Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read sensitive backup files and access sensitive information such as user credentials via sending a crafted HTTP request to the static files resources of the system. | Biotime | 7.5 | ||
| 2022-11-08 | CVE-2022-30515 | ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration. | Biotime | 5.3 | ||
| 2022-11-30 | CVE-2022-38801 | In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting. | Biotime | 5.4 |