ZKTeco ZKTime Web Cross Site Scripting Vulnerability

ID 1337DAY-ID-29091
Type zdt
Reporter Himanshu Mehta
Modified 2017-12-01T00:00:00


ZKTeco ZKTime Web version suffers from a cross site scripting vulnerability.

                                            *1. Introduction*

Vendor:                ZKTeco
Affected Product:      ZKTime Web -
Fixed in:
Vendor Website:        https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vulnerability Type:    Reflected XSS
Remote Exploitable:    Yes
CVE:                   CVE-2017-17057
*2. Overview*

There is a reflected XSS vulnerability in ZKTime Web. The
vulnerability exists due to insufficient filtration of user-supplied data.
A remote attacker can execute arbitrary HTML and script code in browser in
context of the vulnerable application.

*3. Affected Modules*

Go to
Personnel -> Personnel -> Advanced Query ->

Select Search Field as 'Department' and in 'Range' field mention

*4. Payload*

*5. Credit*
Himanshu Mehta (@LionHeartRoxx)

#  0day.today [2018-01-02]  #