Zkteco Zkbio_cvsecurity
8 CVEs affecting Zkteco Zkbio_cvsecurity. Latest disclosed: 2025-05-13. Critical: 1, High: 4.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-36526 | Critical | 9.8 | 2024-07-09 | ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key. |
CVE-2024-35433 | High | 8.1 | 2024-05-30 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new adm… |
CVE-2024-35430 | High | 8.1 | 2024-05-30 | In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass password checks while exporting data from the application. |
CVE-2024-35431 | High | 7.5 | 2024-05-30 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Thi… |
CVE-2024-35428 | High | 7.1 | 2024-05-30 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can le… |
CVE-2025-45746 | Medium | 6.5 | 2025-05-13 | In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Su… |
CVE-2024-35429 | Medium | 6.5 | 2024-05-30 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord. |
CVE-2024-35432 | Medium | 6.1 | 2024-05-30 | ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to t… |