Hussein Amer

**Name of the Vulnerable Software and Affected Versions** ZKTeco BioTime versions up to 9.5.2 **Description** A vulnerability was found in the system-group-add Handler component. The manipulation of the `user` argument with malicious input, such as `<script>alert('XSS')</script>`, leads to cross-site scripting. This issue can be exploited remotely. **Recommendations** For ZKTeco BioTime versions up to 9.5.2, consider disabling the system-group-add Handler component until a patch is available. Restrict access to the affected component to minimize the risk of exploitation. Avoid using the `user` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZKTeco ZKBio Media version 2.0.0 x64 2024-01-29-1028 **Description** A problematic issue has been identified, affecting an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument `fileName` with the input ../../../../zkbio media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For ZKTeco ZKBio Media version 2.0.0 x64 2024-01-29-1028, as a temporary workaround, consider restricting access to the Service Port 9999 to minimize the risk of exploitation. Avoid using the `fileName` argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZKTeco ZKBio Access IVS versions up to 3.3.2 **Description** A problematic issue has been found in the Department Name Search Bar component, allowing for cross-site scripting through the manipulation of input, such as `<marquee>hi`. This can be exploited remotely. The issue has been publicly disclosed. **Recommendations** For ZKTeco ZKBio Access IVS versions up to 3.3.2, consider restricting access to the Department Name Search Bar component until a fix is available. As a temporary workaround, avoid using the input field in the Department Name Search Bar to minimize the risk of exploitation.