ZKT Eco ADMS - Stored XSS (CVE-2022-44213)
Hi All,
I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users.
Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213
Technical details
- Login to ZKT Eco ADMS (default admin/admin)
- Click on System and click on Employee
- Click on Append button to add new Employee
- In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');>
- Click on Submit button, it will redirect you to the employee list, and our payload will be executed.
XSS payload embedded in EMP NAME field.
XSS has been fixed in latest versions after 3.1-164.
Comments
Post a Comment