Incorrect Access Control in Zkteco BioTime Software
CVE-2022-38803

6.8MEDIUM

Key Information:

Vendor: Zkteco
Status: Biotime
Vendor: CVE Published:; 30 November 2022

What is CVE-2022-38803?

Zkteco BioTime versions prior to 8.5.3 Build 20200816.447 are subject to an Incorrect Access Control vulnerability. This flaw allows authenticated users to manipulate leave, overtime, or manual log functionalities to exploit cross-site scripting (XSS) vulnerabilities. By leveraging these methods, attackers can gain unauthorized access to sensitive local files when exporting data to PDF, posing significant risks to data integrity and confidentiality.

References

https://www.zkteco.com/

https://gist.github.com/hamoshwani/44653bfe7b8cc461692a2f...

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 30, 2022
Vulnerability Reserved
Aug 29, 2022