VYPR

Zktime Web

by Zkteco

CVEs (5)

  • CVE-2017-17056HigDec 4, 2017
    risk 0.57cvss 8.8epss 0.01

    The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the…

  • CVE-2017-13129HigSep 26, 2017
    risk 0.55cvss 8.0epss 0.01

    Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2.0.1.12280 allows remote authenticated users to hijack the authentication of administrators for requests that add administrators by leveraging lack of anti-CSRF tokens.

  • CVE-2017-14680HigSep 21, 2017
    risk 0.52cvss 7.5epss 0.04

    ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document.

  • CVE-2017-17057MedDec 4, 2017
    risk 0.40cvss 6.1epss 0.01

    There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The vulnerability exists due to insufficient filtration of user-supplied data in the 'Range' field of the 'Department' module in a Personnel Advanced Query. A remote attacker can execute arbitrary HTML and script…

  • CVE-2021-39434Dec 5, 2022
    risk 0.00cvss epss 0.01

    A default username and password for an administrator account was discovered in ZKTeco ZKTime 10.0 through 11.1.0, builds 20180901, 20190510.1, 20200309.3, 20200930, 20201231, and 20210220.