CVE-2017-14680

high

Published 2017-09-21 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.5

Description

ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensitive employee metadata via a direct request for a PDF document.

Predictions

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-43019 webapps windows text · 2 KB

Arvind V · 2017-08-18

ZKTime Web Software 2.0 - Improper Access Restrictions

text exploit Source: Exploit-DB

Exploit Title: ZKTime Web Software 2.0 - Broken Authentication
CVE-ID: CVE-2017-14680
Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vendor of Product: ZKTeco
Affected Product Code: ZKTime Web - 2.0.1.12280
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind

------------------------------------------

Product description:
ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
provided a stable communication for devices through GPRS/WAN, hence, users
can access the software anywhere by their Web Browser to remotely manage
hundreds of T&A terminals under complex network condition (WLAN). The
Application has an administrator role and application user role.

Attack Description:
The Application is a time attendance software which allows users to
download their time and attendance data from the application in a PDF
Format. The data includes their employee’s id, user-id, gender,
birth-dates, phone numbers and access-areas. These PDF Files however are
not properly authenticated. If any user get access to the file-download
link, he can go ahead and download these files directly without any
authentication.

Proof of Concept Links:

1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf>
2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf>
3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf>


Impact:
Personal details pertaining to the employees of the company are disclosed
without their permissions. This leads to violation of user privacy.
Moreover the information available can be used to mount further attacks.

References:
http://seclists.org/fulldisclosure/2017/Sep/39
http://seclists.org/bugtraq/2017/Sep/20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680


Vulnerability Timeline:
18th August 2017 – Vulnerability Discovered
20th August 2017 – Contacted Vendor – No Response
1st September 2017 – Contacted Vendor again – No Response
18th September 2017 – Vulnerability Disclosed

Application impact

Vendor	Product	Versions	Fixed
zkteco	zktime_web	`2.0.1.12280`

References

CWEs

CWE-200

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.