Total
4 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-17057 | 1 Zkteco | 1 Zktime Web | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The vulnerability exists due to insufficient filtration of user-supplied data in the 'Range' field of the 'Department' module in a Personnel Advanced Query. A remote attacker can execute arbitrary HTML and script code in the browser in the context of the vulnerable application.
|
|||||
| CVE-2017-14680 | 1 Zkteco | 1 Zktime Web | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document.
|
|||||
| CVE-2017-17056 | 1 Zkteco | 1 Zktime Web | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
|
The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the /accounts/password_change/ URI. An attacker takes advantage of this scenario and creates a crafted CSRF link to add himself as an administrator to the ZKTime Web Software. He then uses social engineering methods to trick the administra ...
Show More |
|||||
| CVE-2017-13129 | 1 Zkteco | 1 Zktime Web | 2025-04-20 | 6.0 MEDIUM | 8.0 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2.0.1.12280 allows remote authenticated users to hijack the authentication of administrators for requests that add administrators by leveraging lack of anti-CSRF tokens.
|
|||||