ZKTeco ZKTime Web 2.0.1.12280 Cross Site Scripting

2017-11-30T00:00:00
ID PACKETSTORM:145159
Type packetstorm
Reporter Himanshu Mehta
Modified 2017-11-30T00:00:00

Description

                                        
                                            `*1. Introduction*  
  
Vendor: ZKTeco  
Affected Product: ZKTime Web - 2.0.1.12280  
Fixed in:  
Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html  
Vulnerability Type: Reflected XSS  
Remote Exploitable: Yes  
CVE: CVE-2017-17057  
*2. Overview*  
  
There is a reflected XSS vulnerability in ZKTime Web. The  
vulnerability exists due to insufficient filtration of user-supplied data.  
A remote attacker can execute arbitrary HTML and script code in browser in  
context of the vulnerable application.  
  
*3. Affected Modules*  
  
Go to  
Personnel -> Personnel -> Advanced Query ->  
  
Select Search Field as 'Department' and in 'Range' field mention  
'<script>alert('XSS')</script>  
  
*4. Payload*  
<script>alert('XSS')</script>  
  
  
*5. Credit*  
Himanshu Mehta (@LionHeartRoxx)  
`