CVE-2024-6344

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-6344
A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. The vendor explains, that "[s]ince ZKBio CVSecurity v5000 has been withdrawn from the market, we recommend upgrading to ZKBio CVSecurity V6600 6.1.3_R or above". This vulnerability only affects products that are no longer supported by the maintainer.

2.4 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

3.3 /10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:L/Au:M/C:N/I:P/A:N

Exploitability : 6.4 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
https://vuldb.com/?ctiid.269733 Permissions Required VDB Entry
https://vuldb.com/?id.269733 Third Party Advisory VDB Entry
https://vuldb.com/?submit.358596 Third Party Advisory VDB Entry
https://www.zkteco.com/en/Security_Bulletinsibs/17
https://vuldb.com/?ctiid.269733 Permissions Required VDB Entry
https://vuldb.com/?id.269733 Third Party Advisory VDB Entry
https://vuldb.com/?submit.358596 Third Party Advisory VDB Entry
https://www.zkteco.com/en/Security_Bulletinsibs/17
Configurations

Configuration 1 (hide)

cpe:2.3:a:zkteco:zkbiosecurity_v5000:4.1.0:*:*:*:*:*:*:*
History

10 Jul 2025, 07:15

Type Values Removed Values Added
CWE CWE-94
Summary (en) A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-269733 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. (en) A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. The vendor explains, that "[s]ince ZKBio CVSecurity v5000 has been withdrawn from the market, we recommend upgrading to ZKBio CVSecurity V6600 6.1.3_R or above". This vulnerability only affects products that are no longer supported by the maintainer.
CPE cpe:2.3:a:zkteco:zkbiosecurity_v5000:4.1.0:*:*:*:*:*:*:*
First Time Zkteco zkbiosecurity V5000
Zkteco
References
  • () https://www.zkteco.com/en/Security_Bulletinsibs/17 -
References () https://vuldb.com/?ctiid.269733 - () https://vuldb.com/?ctiid.269733 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.269733 - () https://vuldb.com/?id.269733 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.358596 - () https://vuldb.com/?submit.358596 - Third Party Advisory, VDB Entry
Information

Published : 2024-06-26 11:15

Updated : 2025-07-10 07:15

NVD link : CVE-2024-6344

Mitre link : CVE-2024-6344

CVE.ORG link : CVE-2024-6344

JSON object : View

Products Affected

zkteco

  • zkbiosecurity_v5000
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94

Improper Control of Generation of Code ('Code Injection')