QwikSec

Security Database

CVE

CWE

Training

CVE-2024-1706

Published: Feb 21, 2024

Modified: Aug 22, 2025

PUBLISHED

CVSS v3.1

3.5

LOW

Description

A vulnerability was determined in ZKTeco ZKBio Access IVS up to 3.3.2. This impacts an unknown function of the component Department Name Search Bar. This manipulation with the input <marquee>hi causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor explains: "ZKBio Access IVS is no longer maintained and the product has been replaced by ZKBio CVAccess, it is recommended to replace it with the latest version of ZKBio CVAccess." This vulnerability only affects products that are no longer supported by the maintainer.

Vendor	Product	Versions
ZKTeco	ZKBio Access IVS	affected `3.3.0` affected `3.3.1` affected `3.3.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

VDB-254396 | ZKTeco ZKBio Access IVS Department Name Search Bar cross site scripting

vdb-entry

technical-description

VDB-254396 | CTI Indicators (IOB, IOC, TTP, IOA)

signature

permissions-required

Submit #280083 | zkteco zkbio access IVS 3.3.2 xss

third-party-advisory

Submit #280084 | zkteco zkbio access IVS 3.3.2 xss (Duplicate)

third-party-advisory

https://gist.githubusercontent.com/whiteman007/8d3a09991de4ef336937ba91c07b7856/raw/adc00538d7a8c3c54bde4797a10d9b6af393711d/gistfile1.txt

exploit

https://www.zkteco.com/en/Security_Bulletinsibs/21

related

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.