Date: Mon, 4 Dec 2017 08:32:55 +0530 From: Himanshu Mehta <mehta.himanshu21@...il.com> To: oss-security@...ts.openwall.com Subject: ZKTime Web Software 220.127.116.1180 CVE-2017-17057 Cross Site Scripting *1. Introduction* Vendor: ZKTeco Affected Product: ZKTime Web - 18.104.22.16880 Fixed in: Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html Vulnerability Type: Reflected XSS Remote Exploitable: Yes CVE: CVE-2017-17057 *2. Overview* There is a reflected XSS vulnerability in ZKTime Web. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in browser in context of the vulnerable application. *3. Affected Modules* Go to Personnel -> Personnel -> Advanced Query -> Select Search Field as 'Department' and in 'Range' field mention '<script>alert('XSS')</script> *4. Payload* <script>alert('XSS')</script> *5. Credit* Himanshu Mehta (@LionHeartRoxx)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.