ZKT Eco ADMS - Stored XSS (CVE-2022-44213)

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users.

Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213


Technical details

  1. Login to ZKT Eco ADMS (default admin/admin)
  2. Click on System and click on Employee
  3. Click on Append button to add new Employee
  4. In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');>
  5. Click on Submit button, it will redirect you to the employee list, and our payload will be executed.

XSS payload embedded in EMP NAME field.




our payload executed successfully.

XSS has been fixed in latest versions after 3.1-164.

Comments

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)