CVE-2022-42953

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-42953
Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://seclists.org/fulldisclosure/2022/Oct/23 Exploit Mailing List Third Party Advisory
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses Exploit Third Party Advisory
https://seclists.org/fulldisclosure/2022/Oct/23 Exploit Mailing List Third Party Advisory
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zkteco:zmm200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zmm200:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zkteco:zmm210_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zmm210:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:zkteco:zmm220_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zmm220:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:zkteco:zem720_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem720:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:zkteco:zem600_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem600:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:zkteco:zem800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem800:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:zkteco:zem510_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem510:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:zkteco:zem560_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem560:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:zkteco:zem760_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem760:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:zkteco:zem500_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem500:-:*:*:*:*:*:*:*
History

21 Nov 2024, 07:25

Type Values Removed Values Added
References () https://seclists.org/fulldisclosure/2022/Oct/23 - Exploit, Mailing List, Third Party Advisory () https://seclists.org/fulldisclosure/2022/Oct/23 - Exploit, Mailing List, Third Party Advisory
References () https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - Exploit, Third Party Advisory () https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - Exploit, Third Party Advisory

08 Aug 2023, 14:22

Type Values Removed Values Added
References (MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - (MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - Exploit, Third Party Advisory
References (MISC) https://seclists.org/fulldisclosure/2022/Oct/23 - (MISC) https://seclists.org/fulldisclosure/2022/Oct/23 - Exploit, Mailing List, Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
CWE CWE-425
CPE cpe:2.3:o:zkteco:zem600_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem760:-:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zmm200:-:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zem800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem560:-:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zmm200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem500:-:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem510:-:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem800:-:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zem510_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zem560_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zmm210:-:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zem760_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zmm220:-:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zem500_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem600:-:*:*:*:*:*:*:*
cpe:2.3:h:zkteco:zem720:-:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zmm220_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zem720_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:zkteco:zmm210_firmware:*:*:*:*:*:*:*:*

25 Dec 2022, 05:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-12-25 05:15

Updated : 2025-04-15 14:15

NVD link : CVE-2022-42953

Mitre link : CVE-2022-42953

CVE.ORG link : CVE-2022-42953

JSON object : View

Products Affected

zkteco

  • zem600_firmware
  • zmm210
  • zem760_firmware
  • zem800_firmware
  • zem720
  • zmm210_firmware
  • zem560
  • zmm220_firmware
  • zem800
  • zem500
  • zem510_firmware
  • zem560_firmware
  • zmm220
  • zem720_firmware
  • zem510
  • zmm200
  • zem500_firmware
  • zem760
  • zmm200_firmware
  • zem600
CWE
CWE-425

Direct Request ('Forced Browsing')