ZKTeco ZKTime Web version 18.104.22.16880 suffers from a cross site scripting vulnerability.
*1. Introduction* Vendor: ZKTeco Affected Product: ZKTime Web - 22.214.171.12480 Fixed in: Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html Vulnerability Type: Reflected XSS Remote Exploitable: Yes CVE: CVE-2017-17057 *2. Overview* There is a reflected XSS vulnerability in ZKTime Web. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in browser in context of the vulnerable application. *3. Affected Modules* Go to Personnel -> Personnel -> Advanced Query -> Select Search Field as 'Department' and in 'Range' field mention '<script>alert('XSS')</script> *4. Payload* <script>alert('XSS')</script> *5. Credit* Himanshu Mehta (@LionHeartRoxx) # 0day.today [2018-01-02] #