CVE-2022-42953

Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://seclists.org/fulldisclosure/2022/Oct/23	Exploit Mailing List Third Party Advisory
https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zkteco:zmm200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zmm200:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:zkteco:zmm210_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zmm210:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:zkteco:zmm220_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zmm220:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:zkteco:zem720_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zem720:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:zkteco:zem600_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zem600:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:zkteco:zem800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zem800:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:zkteco:zem510_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zem510:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:zkteco:zem560_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zem560:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:zkteco:zem760_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zem760:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:zkteco:zem500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zkteco:zem500:-:*:*:*:*:*:*:*

History

08 Aug 2023, 14:22

Type	Values Removed	Values Added
References	~~(MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses -~~	(MISC) https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses - Exploit, Third Party Advisory
References	~~(MISC) https://seclists.org/fulldisclosure/2022/Oct/23 -~~	(MISC) https://seclists.org/fulldisclosure/2022/Oct/23 - Exploit, Mailing List, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		CWE-425
CPE		cpe:2.3:o:zkteco:zem600_firmware:::::::: cpe:2.3:h:zkteco:zem760:-:::::::* cpe:2.3:h:zkteco:zmm200:-:::::::* cpe:2.3:o:zkteco:zem800_firmware:::::::: cpe:2.3:h:zkteco:zem560:-:::::::* cpe:2.3:o:zkteco:zmm200_firmware:::::::: cpe:2.3:h:zkteco:zem500:-:::::::* cpe:2.3:h:zkteco:zem510:-:::::::* cpe:2.3:h:zkteco:zem800:-:::::::* cpe:2.3:o:zkteco:zem510_firmware:::::::: cpe:2.3:o:zkteco:zem560_firmware:::::::: cpe:2.3:h:zkteco:zmm210:-:::::::* cpe:2.3:o:zkteco:zem760_firmware:::::::: cpe:2.3:h:zkteco:zmm220:-:::::::* cpe:2.3:o:zkteco:zem500_firmware:::::::: cpe:2.3:h:zkteco:zem600:-:::::::* cpe:2.3:h:zkteco:zem720:-:::::::* cpe:2.3:o:zkteco:zmm220_firmware:::::::: cpe:2.3:o:zkteco:zem720_firmware:::::::: cpe:2.3:o:zkteco:zmm210_firmware::::::::

25 Dec 2022, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-12-25 05:15

Updated : 2024-02-04 23:14

NVD link : CVE-2022-42953

Mitre link : CVE-2022-42953

CVE.ORG link : CVE-2022-42953

JSON object : View

Products Affected

zkteco

zem800_firmware
zmm200_firmware
zem500_firmware
zem720_firmware
zem800
zem500
zem600
zem510
zem600_firmware
zmm200
zem560
zem760
zem560_firmware
zmm220_firmware
zem720
zmm210_firmware
zmm220
zmm210
zem760_firmware
zem510_firmware

CWE

CWE-425

Direct Request ('Forced Browsing')

7.5 /10