Primary

Context

ZKTeco ZKBioSecurity File Path Manipulation Vulnerability Allowing Arbitrary File Access

Vulnerability

A file path manipulation vulnerability has been identified in ZKTeco ZKBioSecurity version 3.0.1.0_R_230. This vulnerability allows remote attackers to access arbitrary files by modifying file paths in the xmlPath parameter of the baseAction!getPageXML.action. The manipulation can bypass access controls and retrieve sensitive information such as application configuration files, source code, and other protected resources.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive files and information on the server.

Reproduction

To reproduce this vulnerability, send a request to the baseAction!getPageXML.action with a crafted xmlPath parameter that includes directory traversal sequences (dot dot) to access restricted files, such as the WEB-INF/web.xml file.

Added: Mar 16, 2026, 3:16 PM

Updated: Mar 16, 2026, 3:16 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

4.0

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

4.0

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ZKTeco ZKBioSecurity File Path Manipulation Vulnerability Allowing Arbitrary File Access

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating