CVE-2016-20031

Name of the Vulnerable Software and Affected Versions ZKTeco ZKBioSecurity version 3.0

Description The software contains a local authorization bypass in the visLogin.jsp component. This allows attackers to authenticate without valid credentials by spoofing localhost requests. The EnvironmentUtil.getClientIp() method incorrectly treats the IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1. Attackers can then authenticate using the IP address as the username with a hardcoded password of 123456, gaining access to sensitive information and performing unauthorized actions.

Recommendations Versions prior to 3.0 should be used.