VYPR

Zkbiosecurity V5000

by Zkteco

CVEs (11)

  • CVE-2016-20030CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.01

    ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying…

  • CVE-2016-20026CriMar 16, 2026
    risk 0.64cvss 9.8epss 0.01

    ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives…

  • CVE-2016-20029MedMar 16, 2026
    risk 0.40cvss 6.2epss 0.00

    ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipulate path parameters to bypass access controls and retrieve sensitive…

  • CVE-2016-20027MedMar 16, 2026
    risk 0.40cvss 6.1epss 0.00

    ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with…

  • CVE-2016-20031MedMar 16, 2026
    risk 0.36cvss 5.5epss 0.00

    ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback…

  • CVE-2016-20028MedMar 16, 2026
    risk 0.28cvss 4.3epss 0.00

    ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity…

  • CVE-2024-6006LowJun 15, 2024
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The manipulation of the argument Schedule Name leads to cross site scripting. The…

  • CVE-2024-6005LowJun 15, 2024
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. The manipulation of the argument Department Name leads to cross site scripting.…

  • CVE-2024-6344LowJun 26, 2024
    risk 0.16cvss 2.4epss 0.00

    A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to…

  • CVE-2022-36635Oct 7, 2022
    risk 0.00cvss epss 0.17

    ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.

  • CVE-2022-36634Oct 7, 2022
    risk 0.00cvss epss 0.01

    An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.