CVE Catalog

CVE-2016-20028

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Summary

ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access.

Risk Assessment

This vulnerability poses a significant risk to organizations as it allows attackers to gain full administrative privileges without proper safeguards. This could lead to unauthorized access to sensitive data and systems.

Recommendation

It is recommended to update ZKTeco ZKBioSecurity to the latest version that addresses this vulnerability. Additionally, implementing CSRF protection mechanisms is advisable to minimize the risk of such attacks.

Original NVD description (English source)

ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS