GRANDING UTime Master - Stored XSS (CVE-2023-45391)

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v UTime Master_9.0.7-Build:Apr 4,2023).

CVE ID: CVE-2023-45391

UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser.

  1. Login to UTime Master using admin account
  2. Click on Personnel > Employee Management >Employee
  3. Select Any employee or create a new employee
  4. In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)>

XSS payload embedded in EMP NAME field.

Save the employee details, Once the page refreshed it will execute your payload.



our payload executed successfully.

I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc.

XSS has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

Comments

Popular posts from this blog

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

NetSkope Unauthenticated CSV Injection in Admin UI (CVE-2020-28845)