| Titre | ZKTeco ZKBio CVSecurity 4.1.0 Stored Cross-Site Scripting |
|---|
| Description | A filter bypass was identified in the "Schedule Name" field (parameter name), resulting in a Stored Cross-Site Scripting (Stored XSS) vulnerability. This vulnerability allows a user with permissions to edit existing fields or add new fields in the system to inject malicious scripts. These scripts can steal cookies from administrators or other users, potentially escalating privileges or performing other malicious actions.
Proof of Concept (PoC):
1 - Edit or add a new summer schedule in Access / Access Device / Summer Schedule.
2 - In the "Summer Schedule Name" field, enter any string and intercept it with Burp Suite. In the "name" parameter, place the following payload, bypassing the filters:
"><img src=x onerror="alert``"
3 - Any user accessing the Schedule list will be affected by the Stored Cross-Site Scripting. |
|---|
| La source | ⚠️ https://www.zkteco.com.br/zkbiocvsecurity/ |
|---|
| Utilisateur | Stux (UID 40142) |
|---|
| Soumission | 06/06/2024 20:26 (il y a 2 ans) |
|---|
| Modérer | 14/06/2024 17:31 (8 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 268694 [ZKTeco ZKBio CVSecurity V5000 4.1.0 Summer Schedule Schedule Name cross site scripting] |
|---|
| Points | 20 |
|---|