These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2016-20032 is a stored cross-site scripting (XSS) vulnerability in ZKTeco ZKAccess Security System 5.3.1. The vulnerability allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. This can compromise user browser sessions and steal sensitive information.
CVE-2016-20030 is a critical user enumeration vulnerability in ZKTeco ZKBioSecurity 3.0. Unauthenticated attackers can discover valid usernames by submitting partial characters via the username parameter to the authLoginAction!login.do script.
CVE-2016-20029 is a file path manipulation vulnerability in ZKTeco ZKBioSecurity 3.0. Attackers can access arbitrary files by modifying file paths used to retrieve local resources. This allows them to bypass access controls and retrieve sensitive information, including configuration files, source code, and protected application resources.
CVE-2016-20028 is a medium-severity cross-site request forgery (CSRF) vulnerability in ZKTeco ZKBioSecurity 3.0. The vulnerability allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit a [truncated]
CVE-2016-20027 is a reflected cross-site scripting (XSS) vulnerability in ZKTeco ZKBioSecurity 3.0. The vulnerability allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of [truncated]
CVE-2016-20026 is a critical vulnerability in ZKTeco ZKBioSecurity 3.0. The vulnerability exists due to hardcoded credentials in the bundled Apache Tomcat server, allowing unauthenticated attackers to access the manager application. Attackers can authenticate with these hardcoded credentials, stored in tomcat-users.xml, to upload malicious WAR archives containing JSP applications and execute arbitrary cod [truncated]
CVE-2016-20024 is a critical vulnerability in ZKTeco ZKTime.Net 3.0.1.6, allowing unprivileged users to escalate privileges by modifying executable files due to insecure file permissions. The vulnerability has a CVSS score of 9.3 and is classified as CRITICAL.