Unauthorized Password Reset Vulnerability in ZKTeco BioTime by ZKTeco
CVE-2023-38949

7.5HIGH

Key Information:

Vendor: Zkteco
Status: Biotime
Vendor: CVE Published:; 3 August 2023

What is CVE-2023-38949?

A security misconfiguration in the ZKTeco BioTime version 8.5.5 exposes a hidden API, allowing attackers without authentication to reset the Administrator password through specially crafted web requests. This vulnerability poses significant risks to the integrity of system access and data security, making it essential for users to apply corrective measures promptly. For further details and mitigation strategies, refer to the official resources provided by ZKTeco and security researchers.

References

http://zkteco.com

https://claroty.com/team82/disclosure-dashboard/cve-2023-...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 3, 2023
Vulnerability Reserved
Jul 25, 2023

Zkteco

What is CVE-2023-38949?

References

CVSS V3.1

Timeline