ZKTeco ZKTime Web Cross Site Scripting

Type packetstorm
Reporter Himanshu Mehta
Modified 2017-11-30T00:00:00


                                            `*1. Introduction*  
Vendor: ZKTeco  
Affected Product: ZKTime Web -  
Fixed in:  
Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html  
Vulnerability Type: Reflected XSS  
Remote Exploitable: Yes  
CVE: CVE-2017-17057  
*2. Overview*  
There is a reflected XSS vulnerability in ZKTime Web. The  
vulnerability exists due to insufficient filtration of user-supplied data.  
A remote attacker can execute arbitrary HTML and script code in browser in  
context of the vulnerable application.  
*3. Affected Modules*  
Go to  
Personnel -> Personnel -> Advanced Query ->  
Select Search Field as 'Department' and in 'Range' field mention  
*4. Payload*  
*5. Credit*  
Himanshu Mehta (@LionHeartRoxx)