ZKTeco ZKTime Web 2.0.1.12280 Cross Site Scripting Vulnerability

2017-12-01T00:00:00
ID 1337DAY-ID-29091
Type zdt
Reporter Himanshu Mehta
Modified 2017-12-01T00:00:00

Description

ZKTeco ZKTime Web version 2.0.1.12280 suffers from a cross site scripting vulnerability.

                                        
                                            *1. Introduction*

Vendor:                ZKTeco
Affected Product:      ZKTime Web - 2.0.1.12280
Fixed in:
Vendor Website:        https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vulnerability Type:    Reflected XSS
Remote Exploitable:    Yes
CVE:                   CVE-2017-17057
*2. Overview*

There is a reflected XSS vulnerability in ZKTime Web. The
vulnerability exists due to insufficient filtration of user-supplied data.
A remote attacker can execute arbitrary HTML and script code in browser in
context of the vulnerable application.

*3. Affected Modules*

Go to
Personnel -> Personnel -> Advanced Query ->

Select Search Field as 'Department' and in 'Range' field mention
'<script>alert('XSS')</script>

*4. Payload*
<script>alert('XSS')</script>


*5. Credit*
Himanshu Mehta (@LionHeartRoxx)

#  0day.today [2018-01-02]  #