CVE-2023-3938

Name of the Vulnerable Software and Affected Versions: ZkTeco ProFace X versions with firmware ZAM170-NF-1.8.25 Smartec ST-FR043 versions with firmware ZAM170-NF-1.8.25 Smartec ST-FR041ME versions with firmware ZAM170-NF-1.8.25

Description: The issue is related to improper neutralization of special elements used in an SQL command, which can allow an attacker to execute arbitrary SQL code, bypass security restrictions, and gain unauthorized access to protected information. This can enable an attacker to authenticate as any user from the device database.

Recommendations: For ZkTeco ProFace X with firmware ZAM170-NF-1.8.25, update the firmware to a version that addresses the SQL Injection vulnerability. For Smartec ST-FR043 with firmware ZAM170-NF-1.8.25, update the firmware to a version that addresses the SQL Injection vulnerability. For Smartec ST-FR041ME with firmware ZAM170-NF-1.8.25, update the firmware to a version that addresses the SQL Injection vulnerability. As a temporary workaround, consider restricting access to the device database to minimize the risk of exploitation.