CVE-2023-38950

Name of the Vulnerable Software and Affected Versions ZKTeco BioTime version 8.5.5

Description The issue is related to a path traversal vulnerability in the iclock API, which can be exploited by supplying a crafted payload, allowing unauthenticated attackers to read arbitrary files. This vulnerability may allow a remote attacker to gain access to sensitive information by reading files on the system.

Recommendations For ZKTeco BioTime version 8.5.5, consider restricting access to the iclock API until a patch is available. As a temporary workaround, limit the ability to supply crafted payloads to the API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.