Vulnerability Description
ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://cxsecurity.com/issue/WLB-2016080268
- https://exchange.xforce.ibmcloud.com/vulnerabilities/116477
- https://packetstormsecurity.com/files/138569
- https://www.exploit-db.com/exploits/40325/
- https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-cross-site-request-for
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5364.php
FAQ
What is CVE-2016-20028?
CVE-2016-20028 is a vulnerability with a CVSS score of 4.3 (MEDIUM). ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attac...
How severe is CVE-2016-20028?
CVE-2016-20028 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-20028?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.