Product:

Zkbio_cvsecurity

(Zkteco)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 9
Date Id Summary Products Score Patch Annotated
2024-05-30 CVE-2024-35430 In ZKTeco ZKBio CVSecurity v6.1.1 an authenticated user can bypass password checks while exporting data from the application. Zkbio_cvsecurity N/A
2024-05-30 CVE-2024-35431 ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1. Zkbio_cvsecurity N/A
2024-05-30 CVE-2024-35432 ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting. Zkbio_cvsecurity N/A
2024-05-30 CVE-2024-35433 ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user. Zkbio_cvsecurity N/A
2024-07-09 CVE-2024-36526 ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key. Zkbio_cvsecurity N/A
2025-05-13 CVE-2025-45746 In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform. Zkbio_cvsecurity 9.8
2025-05-13 CVE-2025-45746 In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. Zkbio_cvsecurity 9.8
2024-05-30 CVE-2024-35428 ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS. Zkbio_cvsecurity 7.1
2024-05-30 CVE-2024-35429 ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord. Zkbio_cvsecurity 6.5