CVE-2020-17474 | Vulnerability Database | Aqua Security

NVD

https://nvd.nist.gov/vuln/detail/CVE-2020-17474

CWE

https://cwe.mitre.org/data/definitions/613.html

A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary new users, elevate users to administrators, delete users, and download user faces from the database.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Name	Vendor	Start Version	End Version
Zkbiosecurity_server	Zkteco	1.0.0_20190723 (including)	1.0.0_20190723 (including)

Potential Mitigations

References

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/8134/zkteco-facedepot-7b-10213-and-zkbiosecurity-server-10020190723-improper-privilege-vulnerability