ZKTeco ZKTime Web Cross Site Scripting

ZKTeco ZKTime Web version suffers from a cross site scripting vulnerability.

MD5 | 291cec77b877a2a698643e15dc38c568

*1. Introduction*

Vendor: ZKTeco
Affected Product: ZKTime Web -
Fixed in:
Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vulnerability Type: Reflected XSS
Remote Exploitable: Yes
CVE: CVE-2017-17057
*2. Overview*

There is a reflected XSS vulnerability in ZKTime Web. The
vulnerability exists due to insufficient filtration of user-supplied data.
A remote attacker can execute arbitrary HTML and script code in browser in
context of the vulnerable application.

*3. Affected Modules*

Go to
Personnel -> Personnel -> Advanced Query ->

Select Search Field as 'Department' and in 'Range' field mention

*4. Payload*

*5. Credit*
Himanshu Mehta (@LionHeartRoxx)

Related Posts