| タイトル | ZKTeco ZKBio CVSecurity 4.1.0 Stored Cross-Site Scripting |
|---|
| 説明 | A filter bypass was identified in the "Schedule Name" field (parameter name), resulting in a Stored Cross-Site Scripting (Stored XSS) vulnerability. This vulnerability allows a user with permissions to edit existing fields or add new fields in the system to inject malicious scripts. These scripts can steal cookies from administrators or other users, potentially escalating privileges or performing other malicious actions.
Proof of Concept (PoC):
1 - Edit or add a new summer schedule in Access / Access Device / Summer Schedule.
2 - In the "Summer Schedule Name" field, enter any string and intercept it with Burp Suite. In the "name" parameter, place the following payload, bypassing the filters:
"><img src=x onerror="alert``"
3 - Any user accessing the Schedule list will be affected by the Stored Cross-Site Scripting. |
|---|
| ソース | ⚠️ https://www.zkteco.com.br/zkbiocvsecurity/ |
|---|
| ユーザー | Stux (UID 40142) |
|---|
| 送信 | 2024年06月06日 20:26 (2 年 ago) |
|---|
| モデレーション | 2024年06月14日 17:31 (8 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 268694 [ZKTeco ZKBio CVSecurity V5000 4.1.0 Summer Schedule Schedule Name クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|