CVE-2016-20027 - Vulnerability Details

ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Zkteco	Zkbiosecurity

No data.

References

Link	Providers
https://cxsecurity.com/issue/WLB-2016080267
https://exchange.xforce.ibmcloud.com/vulnerabilities/116476
https://packetstormsecurity.com/files/138568
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-multiple-reflected-xss-vulnerabilities
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5363.php

History

Mon, 16 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zkteco Zkteco zkbiosecurity
Vendors & Products		Zkteco Zkteco zkbiosecurity

Sun, 15 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.
Title		ZKTeco ZKBioSecurity 3.0 Multiple Reflected XSS Vulnerabilities
Weaknesses		CWE-79
References		https://cxsecurity.com/issue/WLB-2016080267 https://exchange.xforce.ibmcloud.com/vulnerabilities/116476 https://packetstormsecurity.com/files/138568 https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-multiple-reflected-xss-vulnerabilities https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5363.php
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-03-15T13:35:21.111Z

Updated: 2026-03-16T14:20:20.593Z

Reserved: 2026-03-15T12:36:42.720Z

Link: CVE-2016-20027

Vulnrichment

Updated: 2026-03-16T14:17:52.318Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:17:49.117

Modified: 2026-03-16T14:53:46.157

Link: CVE-2016-20027

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object