ZKTeco BioTime v8.5.5 - Path Traversal

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.

• https://github.com/advisories/GHSA-4m8x-4g54-h49v
• http://zkteco.com
• https://claroty.com/team82/disclosure-dashboard/cve-2023-38950
• https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf
• https://nvd.nist.gov/vuln/detail/CVE-2023-38950