Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 4 Dec 2017 08:32:55 +0530
From: Himanshu Mehta <>
Subject: ZKTime Web Software CVE-2017-17057 Cross Site Scripting

*1. Introduction*

Vendor:                ZKTeco
Affected Product:      ZKTime Web -
Fixed in:
Vendor Website:
Vulnerability Type:    Reflected XSS
Remote Exploitable:    Yes
CVE:                   CVE-2017-17057
*2. Overview*

There is a reflected XSS vulnerability in ZKTime Web. The
vulnerability exists due to insufficient filtration of user-supplied data.
A remote attacker can execute arbitrary HTML and script code in browser in
context of the vulnerable application.

*3. Affected Modules*

Go to
Personnel -> Personnel -> Advanced Query ->

Select Search Field as 'Department' and in 'Range' field mention

*4. Payload*

*5. Credit*
Himanshu Mehta (@LionHeartRoxx)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ