mrojz

6 exploits Active since May 2024
CVE-2024-35428 WRITEUP HIGH WRITEUP
Zkteco Zkbio Cvsecurity - Path Traversal
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS.
CVSS 7.1
CVE-2024-35429 WRITEUP MEDIUM WRITEUP
Zkteco Zkbio Cvsecurity - Path Traversal
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord.
CVSS 6.5
CVE-2024-35430 WRITEUP HIGH WRITEUP
Zkteco Zkbio Cvsecurity - Improper Privilege Management
In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass password checks while exporting data from the application.
CVSS 8.1
CVE-2024-35431 WRITEUP HIGH WRITEUP
Zkteco Zkbio Cvsecurity - Path Traversal
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1.
CVSS 7.5
CVE-2024-35432 WRITEUP MEDIUM WRITEUP
Zkteco Zkbio Cvsecurity - XSS
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting.
CVSS 6.1
CVE-2024-35433 WRITEUP HIGH WRITEUP
Zkteco Zkbio Cvsecurity - Improper Access Control
ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user.
CVSS 8.1