cvedb.io
CVE-2023-38952
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2023-08-03T23:15:11.473 · Last modified 2026-07-09T01:18:33.433

Summary

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.

Affected products

zkteco — biotime

Does this affect you?

Add your gear to cvedb and we'll alert you only when zkteco ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.