Home

Description

ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

3.0.1.0_R_230
affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5363.php (Zero Science Lab Disclosure) third-party-advisory

cxsecurity.com/issue/WLB-2016080267 (CXSecurity) third-party-advisory

exchange.xforce.ibmcloud.com/vulnerabilities/116476 (IBM X-Force Exchange) vdb-entry

packetstormsecurity.com/files/138568 (Packet Storm Security) exploit

www.vulncheck.com/...-multiple-reflected-xss-vulnerabilities (VulnCheck Advisory: ZKTeco ZKBioSecurity 3.0 Multiple Reflected XSS Vulnerabilities) third-party-advisory

cve.org (CVE-2016-20027)

nvd.nist.gov (CVE-2016-20027)

Download JSON