CVE-2016-20030 | THREATINT

Description

ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.

PUBLISHED Reserved 2026-03-15 | Published 2026-03-15 | Updated 2026-03-16 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Product status

3.0.1.0_R_230

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5366.php (Zero Science Lab Disclosure) third-party-advisory

exchange.xforce.ibmcloud.com/vulnerabilities/116485 (IBM X-Force Exchange) vdb-entry

packetstormsecurity.com/files/138573 (Packet Storm Security) exploit

www.vulncheck.com/...ty-user-enumeration-via-authloginaction (VulnCheck Advisory: ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction) third-party-advisory

cve.org (CVE-2016-20030)

nvd.nist.gov (CVE-2016-20030)

Download JSON