Cross-Site Request Forgery Vulnerability in ZKTeco ZKTime Software
CVE-2017-13129

8HIGH

Key Information:

Vendor: Zkteco
Status: Zktime Web
Vendor: CVE Published:; 26 September 2017

What is CVE-2017-13129?

The ZKTeco ZKTime Web software version 2.0.1.12280 is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows remote authenticated users to potentially hijack the authentication of administrators, enabling them to add new administrators without proper authorization. The lack of anti-CSRF tokens is a critical oversight that opens the door to unauthorized administrative actions, which can severely compromise the security of the system if exploited.

References

http://seclists.org/fulldisclosure/2017/Sep/38

mailing-listx_refsource_FULLDISC

http://seclists.org/bugtraq/2017/Sep/19

mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 26, 2017
Vulnerability Reserved
Aug 22, 2017

Zkteco

What is CVE-2017-13129?

References

CVSS V3.1

Timeline