ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others. Standalone service v. 2.1.6-20200907 and possibly others.
Impact: In some cases, it is possible to make a rather limited-length SQL injection, however, it still makes it possible to get another user or perform other actions. In some vulnerabilities, the input size is large enough to make arbitrary queries. You can get user data and system parameters from the database.
Access Vector: Remote
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5
CVE-2023-3942
The described vulnerabilities all stem from SQL injection (SQLi) issues, where user-controlled input is improperly sanitized before being used in database query constructions. The issue originates from a specific database querying function which accepts parameters for SQL command construction, particularly vulnerable in the condition (WHERE clause) segment. User input is directly inserted into these queries without proper validation or escaping, allowing attackers to inject malicious SQL code. This can enable unauthorized database operations, data theft, or manipulation across several functions within the system.
Apply patch from vendor when it will be available for your device.
Vulnerability was discovered by Georgy Kiguradze from Kaspersky.