You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Instantly share code, notes, and snippets.
Abdulwahab
ipxsec
Application security guy, passionate about automating stuff, new technologies, and, making software that solves problems.
An issue in ZKTeco BioTime v.8.5.4 allows a remote attacker to obtain sensitive information.
Impact
An attacker can perform a brute-force attack with common usernames, or may use census data of common last names and append each letter of the alphabet to generate valid username lists.
ZKTeko BioTime v.8.5.4 contains an affected endpoint that discloses employees data (name, employment ID, photo, etc) which can be accessed without authentication and authorization checks.
Impact
An attacker might use the disclosed information to gain a greater understanding of the systems and the employees and potentially develop further attacks targeted at the organization e.g. the attacker might use the employees usernames and IDs to gain access to different employees-only systems. Also, The attacker can leak those information to the internet.