Full Disclosure mailing list archives
ZKTime Web Software 2.0.1.12280 CVE-2017-17057 Cross Site Scripting
From: Himanshu Mehta <mehta.himanshu21 () gmail com>
Date: Thu, 30 Nov 2017 09:12:32 +0530
*1. Introduction* Vendor: ZKTeco Affected Product: ZKTime Web - 2.0.1.12280 Fixed in: Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html Vulnerability Type: Reflected XSS Remote Exploitable: Yes CVE: CVE-2017-17057 *2. Overview* There is a reflected XSS vulnerability in ZKTime Web. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in browser in context of the vulnerable application. *3. Affected Modules* Go to Personnel -> Personnel -> Advanced Query -> Select Search Field as 'Department' and in 'Range' field mention '<script>alert('XSS')</script> *4. Payload* <script>alert('XSS')</script> *5. Credit* Himanshu Mehta (@LionHeartRoxx) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- ZKTime Web Software 2.0.1.12280 CVE-2017-17057 Cross Site Scripting Himanshu Mehta (Dec 01)