CVE-2016-20030

Name of the Vulnerable Software and Affected Versions ZKTeco ZKBioSecurity version 3.0

Description The software contains a flaw that allows unauthenticated attackers to discover valid usernames. This is possible by submitting partial characters through the username parameter. Attackers can send requests to the /authLoginAction!login.do endpoint with different username inputs and enumerate valid user accounts based on the application's responses.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.