CVE-2024-6344

ZKTeco ZKBio CVSecurity V5000 Push Configuration Section cross site scripting

CVSS 4.8 MEDIUMEPSS 0.4%CWE-79 CWE-94

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.8EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

26 Jun 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. The vendor explains, that "[s]ince ZKBio CVSecurity v5000 has been withdrawn from the market, we recommend upgrading to ZKBio CVSecurity V6600 6.1.3_R or above". This vulnerability only affects products that are no longer supported by the maintainer.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Affected products

ZKTeco · ZKBio CVSecurity V5000

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://vuldb.com/?ctiid.269733 https://vuldb.com/?id.269733 https://vuldb.com/?submit.358596 https://www.zkteco.com/en/Security_Bulletinsibs/17