PT-2024-26497 · Zkteco · Zkbio Cvsecurity
Published
2024-05-30
·
Updated
2024-07-18
·
CVE-2024-35428
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
ZKTeco ZKBio CVSecurity version 6.1.1
Description
The issue allows an authenticated user to perform a Directory Traversal attack via BaseMediaFile, enabling the deletion of local files from the server. This can lead to a Denial of Service (DoS).
Recommendations
For ZKTeco ZKBio CVSecurity version 6.1.1, consider restricting access to the BaseMediaFile to prevent unauthorized file deletion until a patch is available. As a temporary workaround, limit the privileges of authenticated users to minimize the risk of exploitation.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zkbio Cvsecurity