GCVE - cpe:2.3:a:zkteco:biotime:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:zkteco:biotime:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Zkteco (`5c4057c2-8005-57f0-8064-1e33ee4cd690`)
Product	Biotime (`90654e63-0761-50a4-8fb9-bb6e38250cd5`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-15128`	vulnerable	2026-06-03 14:58:56.530421	ZKTeco BioTime Endpoint safe_setting credentials storage MEDIUM (5.3) A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing a manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Published: 2025-12-28T08:32:10.069Z Updated: 2026-02-24T06:06:21.038Z Open on db.gcve.eu Reference links https://vuldb.com/?id.338506 https://vuldb.com/?ctiid.338506 https://vuldb.com/?submit.711813 https://github.com/ionutluca888/IDOR-POC-ZKBio-Time/tree/main	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-6523`	vulnerable	2026-06-03 14:58:03.392570	ZKTeco BioTime system-group-add cross site scripting LOW (3.5) A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert('XSS')</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Published: 2024-07-05T11:00:05.305Z Updated: 2024-08-01T21:41:03.907Z Open on db.gcve.eu Reference links https://vuldb.com/?id.270366 https://vuldb.com/?ctiid.270366 https://vuldb.com/?submit.364104 https://gist.github.com/whiteman007/c8bf92b0294cd2f0cda6bfaca36f8f28	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-13966`	vulnerable	2026-06-03 14:54:25.788616	ZKTeco BioTime default password HIGH (7.3) ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password"). Published: 2025-05-27T18:35:31.706Z Updated: 2025-07-14T14:58:38.464Z Open on db.gcve.eu Reference links https://krashconsulting.com/fury-of-fingers-biotime-rce/ https://zkteco-store.ru/wp-content/uploads/2023/09/ZKBio-CVSecurity-6.0.0-User-Manual_EN-v1.0_20230616.pdf https://www.cve.org/CVERecord?id=CVE-2024-13966 https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-148-01.json	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-51141`	vulnerable	2026-06-03 14:53:31.944537	Details available An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component Published: 2024-03-21T00:00:00.000Z Updated: 2024-08-16T15:43:21.181Z Open on db.gcve.eu Reference links http://biotime.com http://zkteko.com https://gist.github.com/ipxsec/1680d29c49fe368be81b037168175b10	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-38950`	vulnerable	2026-06-03 14:52:32.266482	Details available A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime. Published: 2023-08-03T00:00:00.000Z Updated: 2025-11-04T16:56:10.466Z Open on db.gcve.eu Reference links http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38950	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-38803`	vulnerable	2026-06-03 14:47:50.539525	Details available Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF Published: 2022-11-30T00:00:00.000Z Updated: 2025-04-24T19:46:02.746Z Open on db.gcve.eu Reference links https://www.zkteco.com/ https://gist.github.com/hamoshwani/44653bfe7b8cc461692a2f074b1ef475	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-38802`	vulnerable	2026-06-03 14:47:50.539201	Details available Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF Published: 2022-11-30T00:00:00.000Z Updated: 2025-04-24T19:49:01.646Z Open on db.gcve.eu Reference links https://www.zkteco.com/ https://gist.github.com/hamoshwani/fd7e3d9d9ff8896f1ccf8426dccaf97e	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-38801`	vulnerable	2026-06-03 14:47:50.538770	Details available In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting. Published: 2022-11-30T00:00:00.000Z Updated: 2025-04-24T19:53:42.606Z Open on db.gcve.eu Reference links https://www.zkteco.com/ https://gist.github.com/hamoshwani/5ac860dd6757440174f446c62b24653f	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.