cbcvebase.

Zkteco Zkbio Cvsecurity vulnerabilities

8 known vulnerabilities affecting zkteco/zkbio_cvsecurity.

Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH4MEDIUM2

Vulnerabilities

Page 1 of 1
CVE-2025-45746P2CRITICALCVSS 9.8v6.4.1_r≥ 6.4.1_R, < 6.6.0_R2025-05-13
CVE-2025-45746 [CRITICAL] CWE-321 CVE-2025-45746: In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result i
nvd
CVE-2024-35430P3HIGHCVSS 8.1v6.1.12024-05-30
CVE-2024-35430 [HIGH] CWE-269 CVE-2024-35430: In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass password checks while exporting data from the application.
nvd
CVE-2024-36526P3CRITICALCVSS 9.8v6.1.12024-07-09
CVE-2024-36526 [CRITICAL] CWE-259 CVE-2024-36526: ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key. ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key.
nvd
CVE-2024-35433P3HIGHCVSS 8.1v6.1.12024-05-30
CVE-2024-35433 [HIGH] CWE-284 CVE-2024-35433: ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, with ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user.
nvd
CVE-2024-35431P3HIGHCVSS 7.5v6.1.12024-05-30
CVE-2024-35431 [HIGH] CWE-31 CVE-2024-35431: ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticat ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1.
nvd
CVE-2024-35429P3MEDIUMCVSS 6.5v6.1.12024-05-30
CVE-2024-35429 [MEDIUM] CWE-22 CVE-2024-35429: ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord. ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord.
nvd
CVE-2024-35428P3HIGHCVSS 7.1v6.1.12024-05-30
CVE-2024-35428 [HIGH] CWE-22 CVE-2024-35428: ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticat ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS.
nvd
CVE-2024-35432P4MEDIUMCVSS 6.1v6.1.12024-05-30
CVE-2024-35432 [MEDIUM] CWE-79 CVE-2024-35432: ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An auth ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting.
nvd
Zkteco Zkbio Cvsecurity vulnerabilities | cvebase