GCVE - cpe:2.3:a:zkteco:biotime:8.5.5:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:zkteco:biotime:8.5.5:*:*:*:*:*:*:*

part: a version: 8.5.5 update: *

Vendor	Zkteco (`5c4057c2-8005-57f0-8064-1e33ee4cd690`)
Product	Biotime (`90654e63-0761-50a4-8fb9-bb6e38250cd5`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-38952`	vulnerable	2026-06-03 14:52:32.267263	Details available Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints. Published: 2023-08-03T00:00:00.000Z Updated: 2025-05-27T19:15:57.050Z Open on db.gcve.eu Reference links http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38952 https://github.com/omair2084/biotime-rce-8.5.5/blob/main/biotime_enum.py https://krashconsulting.com/fury-of-fingers-biotime-rce/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-38951`	vulnerable	2026-06-03 14:52:32.266915	Details available ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM. Published: 2023-08-03T00:00:00.000Z Updated: 2025-05-27T19:16:38.829Z Open on db.gcve.eu Reference links https://claroty.com/team82/disclosure-dashboard/cve-2023-38951 https://github.com/omair2084/biotime-rce-8.5.5/blob/main/biotime_enum.py https://krashconsulting.com/fury-of-fingers-biotime-rce/ https://www.zkteco.com/en/ZKBio_Time/ZKBioTime#Download https://www.zkteco.com/en/announcement	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-38950`	vulnerable	2026-06-03 14:52:32.265555	Details available A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime. Published: 2023-08-03T00:00:00.000Z Updated: 2025-11-04T16:56:10.466Z Open on db.gcve.eu Reference links http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38950	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-38949`	vulnerable	2026-06-03 14:52:32.265097	Details available An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request. Published: 2023-08-03T00:00:00.000Z Updated: 2024-10-17T16:05:54.079Z Open on db.gcve.eu Reference links http://zkteco.com https://claroty.com/team82/disclosure-dashboard/cve-2023-38949	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-30515`	vulnerable	2026-06-03 14:47:08.768894	Details available ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration. Published: 2022-11-08T00:00:00.000Z Updated: 2025-05-01T18:48:00.411Z Open on db.gcve.eu Reference links https://www.zkteco.me/software-5 https://codingkoala.eu/posts/CVE202230515/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.