| 제목 | ZKTeco ZKBio CVSecurity 4.1.0 Stored Cross-Site Scripting |
|---|
| 설명 | A filter bypass was identified in the "Schedule Name" field (parameter name), resulting in a Stored Cross-Site Scripting (Stored XSS) vulnerability. This vulnerability allows a user with permissions to edit existing fields or add new fields in the system to inject malicious scripts. These scripts can steal cookies from administrators or other users, potentially escalating privileges or performing other malicious actions.
Proof of Concept (PoC):
1 - Edit or add a new summer schedule in Access / Access Device / Summer Schedule.
2 - In the "Summer Schedule Name" field, enter any string and intercept it with Burp Suite. In the "name" parameter, place the following payload, bypassing the filters:
"><img src=x onerror="alert``"
3 - Any user accessing the Schedule list will be affected by the Stored Cross-Site Scripting. |
|---|
| 원천 | ⚠️ https://www.zkteco.com.br/zkbiocvsecurity/ |
|---|
| 사용자 | Stux (UID 40142) |
|---|
| 제출 | 2024. 06. 06. PM 08:26 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 06. 14. PM 05:31 (8 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 268694 [ZKTeco ZKBio CVSecurity V5000 4.1.0 Summer Schedule Schedule Name 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|