CVE-2024-2318 | ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028 Service Port 9999 /pro/common/download fileName path traversal

A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: ‘../filedir’.

This vulnerability is traded as CVE-2024-2318. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2024-2318 | ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028 Service Port 9999 /pro/common/download fileName path traversal

Related Posts

CVE-2024-41370 | Organizr 1.90 chat/setlike.php sql injection

CVE-2024-7579 | Alien Technology ALR-F800 up to 19.10.24.00 File Name upgrade.cgi popen uploadedFile os command injection

CVE-2023-52484 | Linux Kernel up to 5.15.133/6.1.55/6.5.5 on CPU arm-smmu-v3 arm_smmu_mm_arch_invalidate_secondary_tlbs denial of service

CVE-2024-27240 | Zoom Workplace Desktop App on Windows Installer input validation (ZSB-24019)