Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).
References
| Link | Resource |
|---|---|
| https://seclists.org/fulldisclosure/2022/Oct/23 | Exploit Mailing List Third Party Advisory |
| https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
Configuration 2 (hide)
| AND |
|
Configuration 3 (hide)
| AND |
|
Configuration 4 (hide)
| AND |
|
Configuration 5 (hide)
| AND |
|
Configuration 6 (hide)
| AND |
|
Configuration 7 (hide)
| AND |
|
Configuration 8 (hide)
| AND |
|
Configuration 9 (hide)
| AND |
|
Configuration 10 (hide)
| AND |
|
History
08 Aug 2023, 14:22
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-425 |
06 Jan 2023, 20:03
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-668 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| CPE | cpe:2.3:o:zkteco:zmm220_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zem720:-:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zem500_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zmm220:-:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zem720_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zem800_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zem510_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zmm210_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zmm200_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zem510:-:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zmm200:-:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zmm210:-:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zem760:-:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zem560:-:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zem600_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zem500:-:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zem600:-:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zem560_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zkteco:zem760_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zkteco:zem800:-:*:*:*:*:*:*:* |
|
| First Time |
Zkteco zem560
Zkteco zem720 Firmware Zkteco zem510 Firmware Zkteco zem600 Firmware Zkteco zem510 Zkteco zmm210 Firmware Zkteco zem760 Firmware Zkteco zem760 Zkteco zem720 Zkteco zmm220 Zkteco zmm200 Zkteco zmm200 Firmware Zkteco zem500 Zkteco zem800 Firmware Zkteco zmm210 Zkteco Zkteco zem600 Zkteco zmm220 Firmware Zkteco zem800 Zkteco zem500 Firmware Zkteco zem560 Firmware |
|
| References | (MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - Exploit, Third Party Advisory | |
| References | (MISC) https://seclists.org/fulldisclosure/2022/Oct/23 - Exploit, Mailing List, Third Party Advisory |
25 Dec 2022, 05:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-12-25 05:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-42953
Mitre link : CVE-2022-42953
CVE.ORG link : CVE-2022-42953
JSON object : View
Products Affected
zkteco
- zmm210
- zmm220
- zem720
- zem760
- zem510_firmware
- zem600_firmware
- zem800_firmware
- zem800
- zmm200
- zmm210_firmware
- zem500_firmware
- zem560
- zmm220_firmware
- zem510
- zem760_firmware
- zmm200_firmware
- zem600
- zem720_firmware
- zem500
- zem560_firmware
CWE
CWE-425
Direct Request ('Forced Browsing')