ZKBio Time - CSV Injection (CVE-2022-40472)

 Hi all,

I am here with new post. Recently I have identified a csv injection vulnerability in one of the web-based time and attendance management software. Below are the details:

Software Description:

ZKBio Time is a powerful web-based time and attendance management software. With a powerful data handling capacity, the system can manage the attendance data of 10,000 employees. It can easily handle hundreds of devices and thousands of employees and their transactions. ZKBio Time comes with an intuitive user interface is able to manage timetable, shift and schedule and can easily generate attendance reports.

Impacted Version: 8.0.7 (Build: 20220721.14829) and before.

CVE ID: CVE-2022-40472

Vulnerability details:

  1. Login to ZKBio Time Application
  2. In the left Menu click on Messages -> Public
  3. Click on ADD new message button
  4. Write your Device Serial Number
  5. Mention any date/time and duration
  6. In Content Field Add your CSV injection payload.
  7. As shown below

  8. Any user who extract the report in CSV format and opens it


  9. The embedded payload will be executed


There is 90% chance that user will ignore the below warning box as the report is downloaded from trusted source. This will lead to payload execution.



Thanks

Comments

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)