*1. Introduction* Vendor: ZKTeco Affected Product: ZKTime Web - 2.0.1.12280 Fixed in: Vendor Website: http://ift.tt/2hQZPG4 Vulnerability Type: Reflected XSS Remote Exploitable: Yes CVE: CVE-2017-17057 *2. Overview* There is a reflected XSS vulnerability in ZKTime Web. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in browser in context of the vulnerable application. *3. Affected Modules* Go to Personnel -> Personnel -> Advanced Query -> Select Search Field as 'Department' and in 'Range' field mention '*4. Payload* *5. Credit* Himanshu Mehta (@LionHeartRoxx)
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment