CVE-2023-38950

Published Aug 3, 2023

Last updated 6 months ago

Exploit knownCVSS high 7.5

Overview

Description
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
Source
cve@mitre.org
NVD status
Analyzed
Products
biotime

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
ZKTeco BioTime Path Traversal Vulnerability
Exploit added on
May 19, 2025
Exploit action due
Jun 9, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-22
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-22

Social media

Hype score
Not currently trending

  1. CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability https://t.co/mmUHbwojBc https://t.co/0QvGt2LqD0

    @ErcanSah1n

    22 Aug 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability https://t.co/JWbox0EuB9 https://t.co/FgQPMSIqJT

    @CloudVirtues

    9 Jun 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability https://t.co/MNcFKLc8l1 https://t.co/UKkJW97B6k

    @SirajD_Official

    8 Jun 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability https://t.co/9rlsIkEf9I https://t.co/bv7SYOGhUf

    @IdentityJason

    6 Jun 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 CVE-2023-38950 - high 🚨 ZKTeco BioTime v8.5.5 - Path Traversal > A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unau... 👾 https://t.co/W7d7Wy736N @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    5 Jun 2025

    132 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2023-38950 - ZKTeco BioTime Path Traversal vulnerability https://t.co/iYjx2rTbxF https://t.co/t84ZjqDxYG

    @scandaletti

    4 Jun 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password").CVE-2024-13966
  2. A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert('XSS')</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.CVE-2024-6523

References

Sources include official advisories and independent security research.