Date: Mon, 4 Dec 2017 08:32:55 +0530 From: Himanshu Mehta <mehta.himanshu21@...il.com> To: oss-security@...ts.openwall.com Subject: ZKTime Web Software 22.214.171.12480 CVE-2017-17057 Cross Site Scripting *1. Introduction* Vendor: ZKTeco Affected Product: ZKTime Web - 126.96.36.19980 Fixed in: Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html Vulnerability Type: Reflected XSS Remote Exploitable: Yes CVE: CVE-2017-17057 *2. Overview* There is a reflected XSS vulnerability in ZKTime Web. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in browser in context of the vulnerable application. *3. Affected Modules* Go to Personnel -> Personnel -> Advanced Query -> Select Search Field as 'Department' and in 'Range' field mention '<script>alert('XSS')</script> *4. Payload* <script>alert('XSS')</script> *5. Credit* Himanshu Mehta (@LionHeartRoxx)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ