Skip to content

Instantly share code, notes, and snippets.

@ipxsec

ipxsec/CVE-2023-51142.md

Last active February 28, 2024 08:13
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ipxsec/b20383620c9e1d5300f7716e62e8a82f to your computer and use it in GitHub Desktop.
Save ipxsec/b20383620c9e1d5300f7716e62e8a82f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2023-51142.md

User Enumeration

Description:

An issue in ZKTeco BioTime v.8.5.4 allows a remote attacker to obtain sensitive information.

Impact

An attacker can perform a brute-force attack with common usernames, or may use census data of common last names and append each letter of the alphabet to generate valid username lists.

Vulnerability path:

https://[org_domain]/forgetPassword

Affected target

This vulnerability was tested and found on version 8.5.4

Proof of Concept (PoC)

Send a simple POST request to the following endpoint "/forgetPassword" containing a valid username with an invalid email.

CnEdv9zXQA-1

CnEdv9zXQA-2

Discoverer

Abdulwahab Alismaeel from Jahez International Company

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment