ZKTeco ZKTime Web version 2.0.1.12280 suffers from a cross site scripting vulnerability.
291cec77b877a2a698643e15dc38c568
*1. Introduction*
Vendor: ZKTeco
Affected Product: ZKTime Web - 2.0.1.12280
Fixed in:
Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vulnerability Type: Reflected XSS
Remote Exploitable: Yes
CVE: CVE-2017-17057
*2. Overview*
There is a reflected XSS vulnerability in ZKTime Web. The
vulnerability exists due to insufficient filtration of user-supplied data.
A remote attacker can execute arbitrary HTML and script code in browser in
context of the vulnerable application.
*3. Affected Modules*
Go to
Personnel -> Personnel -> Advanced Query ->
Select Search Field as 'Department' and in 'Range' field mention
'<script>alert('XSS')</script>
*4. Payload*
<script>alert('XSS')</script>
*5. Credit*
Himanshu Mehta (@LionHeartRoxx)