Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Zkbio_cvsecurity
(Zkteco)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 9 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-05-30 | CVE-2024-35430 | In ZKTeco ZKBio CVSecurity v6.1.1 an authenticated user can bypass password checks while exporting data from the application. | Zkbio_cvsecurity | N/A | ||
| 2024-05-30 | CVE-2024-35431 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1. | Zkbio_cvsecurity | N/A | ||
| 2024-05-30 | CVE-2024-35432 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting. | Zkbio_cvsecurity | N/A | ||
| 2024-05-30 | CVE-2024-35433 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user. | Zkbio_cvsecurity | N/A | ||
| 2024-07-09 | CVE-2024-36526 | ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key. | Zkbio_cvsecurity | N/A | ||
| 2025-05-13 | CVE-2025-45746 | In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform. | Zkbio_cvsecurity | 9.8 | ||
| 2025-05-13 | CVE-2025-45746 | In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. | Zkbio_cvsecurity | 9.8 | ||
| 2024-05-30 | CVE-2024-35428 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS. | Zkbio_cvsecurity | 7.1 | ||
| 2024-05-30 | CVE-2024-35429 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord. | Zkbio_cvsecurity | 6.5 |