CVE-2024-1706 (GCVE-0-2024-1706)
Vulnerability from cvelistv5
Published
2024-02-21 18:00
Modified
2025-08-22 07:29
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability was determined in ZKTeco ZKBio Access IVS up to 3.3.2. This impacts an unknown function of the component Department Name Search Bar. This manipulation with the input <marquee>hi causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor explains: "ZKBio Access IVS is no longer maintained and the product has been replaced by ZKBio CVAccess, it is recommended to replace it with the latest version of ZKBio CVAccess." This vulnerability only affects products that are no longer supported by the maintainer.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ZKTeco | ZKBio Access IVS |
Version: 3.3.0 Version: 3.3.1 Version: 3.3.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VDB-254396 | ZKTeco ZKBio Access IVS Department Name Search Bar cross site scripting",
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.254396"
},
{
"name": "VDB-254396 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.254396"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://gist.githubusercontent.com/whiteman007/8d3a09991de4ef336937ba91c07b7856/raw/adc00538d7a8c3c54bde4797a10d9b6af393711d/gistfile1.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T19:40:22.669488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:40:34.027Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Department Name Search Bar"
],
"product": "ZKBio Access IVS",
"vendor": "ZKTeco",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hussein Amer (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in ZKTeco ZKBio Access IVS up to 3.3.2. This impacts an unknown function of the component Department Name Search Bar. This manipulation with the input \u003cmarquee\u003ehi causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor explains: \"ZKBio Access IVS is no longer maintained and the product has been replaced by ZKBio CVAccess, it is recommended to replace it with the latest version of ZKBio CVAccess.\" This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in ZKTeco ZKBio Access IVS bis 3.3.2 gefunden. Dies betrifft einen unbekannten Teil der Komponente Department Name Search Bar. Mit der Manipulation mit der Eingabe \u003cmarquee\u003ehi mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T07:29:38.911Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-254396 | ZKTeco ZKBio Access IVS Department Name Search Bar cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.254396"
},
{
"name": "VDB-254396 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.254396"
},
{
"name": "Submit #280083 | zkteco zkbio access IVS 3.3.2 xss",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.280083"
},
{
"name": "Submit #280084 | zkteco zkbio access IVS 3.3.2 xss (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.280084"
},
{
"tags": [
"exploit"
],
"url": "https://gist.githubusercontent.com/whiteman007/8d3a09991de4ef336937ba91c07b7856/raw/adc00538d7a8c3c54bde4797a10d9b6af393711d/gistfile1.txt"
},
{
"tags": [
"related"
],
"url": "https://www.zkteco.com/en/Security_Bulletinsibs/21"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2024-02-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-02-21T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2024-02-21T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-22T09:34:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "ZKTeco ZKBio Access IVS Department Name Search Bar cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2024-1706",
"datePublished": "2024-02-21T18:00:07.522Z",
"dateReserved": "2024-02-21T12:31:15.436Z",
"dateUpdated": "2025-08-22T07:29:38.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://vuldb.com/?id.254396\", \"name\": \"VDB-254396 | ZKTeco ZKBio Access IVS Department Name Search Bar cross site scripting\", \"tags\": [\"vdb-entry\", \"technical-description\", \"x_transferred\"]}, {\"url\": \"https://vuldb.com/?ctiid.254396\", \"name\": \"VDB-254396 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\", \"x_transferred\"]}, {\"url\": \"https://gist.githubusercontent.com/whiteman007/8d3a09991de4ef336937ba91c07b7856/raw/adc00538d7a8c3c54bde4797a10d9b6af393711d/gistfile1.txt\", \"tags\": [\"exploit\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T18:48:21.807Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-1706\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-23T19:40:22.669488Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-23T19:40:26.449Z\"}}], \"cna\": {\"tags\": [\"unsupported-when-assigned\"], \"title\": \"ZKTeco ZKBio Access IVS Department Name Search Bar cross site scripting\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Hussein Amer (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 4, \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR\"}}], \"affected\": [{\"vendor\": \"ZKTeco\", \"modules\": [\"Department Name Search Bar\"], \"product\": \"ZKBio Access IVS\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.3.0\"}, {\"status\": \"affected\", \"version\": \"3.3.1\"}, {\"status\": \"affected\", \"version\": \"3.3.2\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-02-21T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2024-02-21T00:00:00.000Z\", \"value\": \"CVE reserved\"}, {\"lang\": \"en\", \"time\": \"2024-02-21T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-08-22T09:34:29.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.254396\", \"name\": \"VDB-254396 | ZKTeco ZKBio Access IVS Department Name Search Bar cross site scripting\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.254396\", \"name\": \"VDB-254396 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.280083\", \"name\": \"Submit #280083 | zkteco zkbio access IVS 3.3.2 xss\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://vuldb.com/?submit.280084\", \"name\": \"Submit #280084 | zkteco zkbio access IVS 3.3.2 xss (Duplicate)\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://gist.githubusercontent.com/whiteman007/8d3a09991de4ef336937ba91c07b7856/raw/adc00538d7a8c3c54bde4797a10d9b6af393711d/gistfile1.txt\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.zkteco.com/en/Security_Bulletinsibs/21\", \"tags\": [\"related\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was determined in ZKTeco ZKBio Access IVS up to 3.3.2. This impacts an unknown function of the component Department Name Search Bar. This manipulation with the input \u003cmarquee\u003ehi causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor explains: \\\"ZKBio Access IVS is no longer maintained and the product has been replaced by ZKBio CVAccess, it is recommended to replace it with the latest version of ZKBio CVAccess.\\\" This vulnerability only affects products that are no longer supported by the maintainer.\"}, {\"lang\": \"de\", \"value\": \"Eine Schwachstelle wurde in ZKTeco ZKBio Access IVS bis 3.3.2 gefunden. Dies betrifft einen unbekannten Teil der Komponente Department Name Search Bar. Mit der Manipulation mit der Eingabe \u003cmarquee\u003ehi mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \\u00fcber das Netzwerk erfolgen. Der Exploit wurde der \\u00d6ffentlichkeit bekannt gemacht und k\\u00f6nnte verwendet werden.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"Cross Site Scripting\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"Code Injection\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-08-22T07:29:38.911Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-1706\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-22T07:29:38.911Z\", \"dateReserved\": \"2024-02-21T12:31:15.436Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2024-02-21T18:00:07.522Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…