| 제목 | ZKTeco biotime 8.5-9.5.1,2 xss |
|---|
| 설명 | Vulnerability Title: Cross-Site Scripting (XSS) in biotime 8.5-9.5.2 2024/6/22
endor of Product:zkteco biotime
Vulnerability Description: refers to a Cross-Site Scripting (XSS) vulnerability present in [zkteco biotime]. This type of vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. The injected scripts can be executed within the context of the victim's browser, potentially leading to the theft of sensitive information, session hijacking, or other malicious actions.
Root Cause: The vulnerability arises due to insufficient input sanitization in the adv arduis application, enabling attackers to inject malicious scripts into web pages.
Impact: Successful exploitation of this vulnerability can result in the compromise of user data, unauthorized access to sensitive information, session hijacking, and potentially the execution of arbitrary code within the context of the victim's browser.
poc:
go to biotime 8.5-9.5
login by use user:pass
go to
{system-group-add user}
and add user {code js} <script>alert('XSS')</script>
2-
go to
{personnel-employee-add new}
https://ibb.co/mHLDd6W |
|---|
| 원천 | ⚠️ https://gist.github.com/whiteman007/c8bf92b0294cd2f0cda6bfaca36f8f28 |
|---|
| 사용자 | Hussein Amer (UID 63322) |
|---|
| 제출 | 2024. 06. 25. PM 02:19 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 07. 05. AM 06:43 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 270366 [ZKTeco BioTime 까지 9.5.2 system-group-add 사용자 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|