PT-2022-24576 · Zkteco · Zkteco Biotime
Ahmed Kameran
·
Published
2022-11-30
·
Updated
2023-09-13
·
CVE-2022-38803
CVSS v3.1
6.8
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Zkteco BioTime versions prior to 8.5.3 Build:20200816.447
Description
The issue concerns Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can exploit XSS into a pdf generator when exporting data as a PDF to read local files.
Recommendations
For versions prior to 8.5.3 Build:20200816.447, update to version 8.5.3 Build:20200816.447 or later to resolve the issue. As a temporary workaround, consider restricting access to the pdf generator and the export data as a PDF feature until a patch is available. Avoid using the pdf generator for exporting sensitive data until the issue is resolved.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zkteco Biotime