PT-2022-24575 · Zkteco · Zkteco Biotime
Ahmed Kameran
·
Published
2022-11-30
·
Updated
2023-09-13
·
CVE-2022-38802
CVSS v3.1
6.2
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Zkteco BioTime versions prior to 8.5.3 Build:20200816.447
Description
The issue is related to Incorrect Access Control, allowing an authenticated administrator to exploit XSS in a pdf generator when exporting data as a PDF, potentially enabling them to read local files. This can be achieved via various features such as resign, private message, manual log, time interval, attshift, and holiday.
Recommendations
For Zkteco BioTime versions prior to 8.5.3 Build:20200816.447, update to version 8.5.3 Build:20200816.447 or later to resolve the issue. As a temporary workaround, consider restricting access to the pdf generator and limiting the ability to export data as a PDF to minimize the risk of exploitation.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zkteco Biotime