CVE-2016-20030

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-20030
CWE	https://cwe.mitre.org/data/definitions/551.html

NVD

https://nvd.nist.gov/vuln/detail/CVE-2016-20030

CWE

https://cwe.mitre.org/data/definitions/551.html

ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.

Weakness

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

Potential Mitigations

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/116485
https://packetstormsecurity.com/files/138573
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-user-enumeration-via-authloginaction
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5366.php

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Weakness

Potential Mitigations

References