Search
Search Results (11 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9508 | 1 Supremainc | 1 Biostar 2 | 2026-05-29 | N/A |
| Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement. | ||||
| CVE-2026-9509 | 1 Supremainc | 1 Biostar 2 | 2026-05-29 | N/A |
| An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems. | ||||
| CVE-2025-41257 | 1 Supremainc | 1 Biostar 2 | 2026-03-09 | 4.8 Medium |
| Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise. | ||||
| CVE-2022-38351 | 1 Supremainc | 1 Biostar 2 | 2025-05-29 | 8.8 High |
| A vulnerability in Suprema BioStar (aka Bio Star) 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page. | ||||
| CVE-2023-27167 | 1 Supremainc | 1 Biostar 2 | 2025-05-05 | 6.5 Medium |
| Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via the values parameter at /users/absence?search_month=1. | ||||
| CVE-2023-31923 | 1 Supremainc | 1 Biostar 2 | 2025-01-21 | 8.8 High |
| Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system. | ||||
| CVE-2023-33366 | 1 Supremainc | 1 Biostar 2 | 2024-11-21 | 8.8 High |
| A SQL injection vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows authenticated users to inject arbitrary SQL directives into an SQL statement and execute arbitrary SQL commands. | ||||
| CVE-2023-33365 | 1 Supremainc | 1 Biostar 2 | 2024-11-21 | 7.5 High |
| A path traversal vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated attackers to fetch arbitrary files from the server's web server. | ||||
| CVE-2023-33364 | 1 Supremainc | 1 Biostar 2 | 2024-11-21 | 8.8 High |
| An OS Command injection vulnerability exists in Suprema BioStar 2 before V2.9.1, which allows authenticated users to execute arbitrary OS commands on the BioStar 2 server. | ||||
| CVE-2023-33363 | 1 Supremainc | 1 Biostar 2 | 2024-11-21 | 7.5 High |
| An authentication bypass vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated users to access some functionality on BioStar 2 servers. | ||||
| CVE-2020-15050 | 1 Supremainc | 1 Biostar 2 | 2024-11-21 | 7.5 High |
| An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal. | ||||
Page 1 of 1.