Incorrect Access Control Vulnerability in Zkteco BioTime Software
CVE-2022-38802

6.2MEDIUM

Key Information:

Vendor: Zkteco
Status: Biotime
Vendor: CVE Published:; 30 November 2022

What is CVE-2022-38802?

Zkteco BioTime prior to version 8.5.3 Build:20200816.447 has an incorrect access control vulnerability that allows authenticated administrators to exploit cross-site scripting (XSS) during data export. This security flaw enables the unauthorized access and reading of local files through various sensitive functionalities including resign, private message handling, manual logs, time intervals, attendance shifts, and holidays. Organizations utilizing affected versions should take prompt action to safeguard their systems.

References

https://www.zkteco.com/

https://gist.github.com/hamoshwani/fd7e3d9d9ff8896f1ccf84...

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 30, 2022
Vulnerability Reserved
Aug 29, 2022