CVE-2024-6344

Name of the Vulnerable Software and Affected Versions ZKTeco ZKBio CVSecurity V5000 version 4.1.0

Description A problematic issue was found in the Push Configuration Section component. The manipulation of the Configuration Name argument leads to cross-site scripting. It is possible to initiate the attack remotely. The vendor was contacted about this disclosure but did not respond.

Recommendations For ZKTeco ZKBio CVSecurity V5000 version 4.1.0, as a temporary workaround, consider restricting access to the Push Configuration Section until a patch is available. Avoid manipulating the Configuration Name argument in this section to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.