hamoshwani/CVE-2022-38801

## CVE-2022-38801
Security Advisory

Topic:          Employee can hijack an administrator session and cookies using blind cross-site scripting in Zkteco Biotime

Category:       Zkteco Biotime
Module:         webgui
Announced:      01-09-2022
Credits:        Ahmed Kameran From https://technobase.krd/ -- https://twitter.com/hamoshwani
CVE ID:         CVE-2022-38801
Affects:        BioTime - < 8.5.3  Build:20200816.447
Corrected:      BioTime - > 8.5.3  Build:20200816.447

1.   Background

BioTime 8.0 is a powerful web-based time and attendance management software that provides a stable connection to ZKTeco's
standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to
offer employee self-service by mobile application and web browser.

2.  Problem Description

A Cross-Site Scripting (XSS) vulnerabilities was found in
BioTime BioTime - < 8.5.3  Build:20200816.447 when an employee try to request approval from administrator he/she can
insert javascript codes instead of reason's for their request.

The page did not encode the reason parameter when an employe requests for Leave or overtime or Manual log

3. Impact

Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the administrator's browser. The administrator's
session cookie or other information from the session may be compromised by an malicious employee


4.   Solution

Users can upgrade to 8.5.4 or later.
Please find latest version from the Zkteco main website or they provide hardcopy of the software when you buy an Iface or any attendance devices make sure
You install versions higher than 8.5.3
	Security Advisory

	Topic: Employee can hijack an administrator session and cookies using blind cross-site scripting in Zkteco Biotime

	Category: Zkteco Biotime
	Module: webgui
	Announced: 01-09-2022
	Credits: Ahmed Kameran From https://technobase.krd/ -- https://twitter.com/hamoshwani
	CVE ID: CVE-2022-38801
	Affects: BioTime - < 8.5.3 Build:20200816.447
	Corrected: BioTime - > 8.5.3 Build:20200816.447

	1. Background

	BioTime 8.0 is a powerful web-based time and attendance management software that provides a stable connection to ZKTeco's
	standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to
	offer employee self-service by mobile application and web browser.

	2. Problem Description

	A Cross-Site Scripting (XSS) vulnerabilities was found in
	BioTime BioTime - < 8.5.3 Build:20200816.447 when an employee try to request approval from administrator he/she can
	insert javascript codes instead of reason's for their request.

	The page did not encode the reason parameter when an employe requests for Leave or overtime or Manual log

	3. Impact

	Due to the lack of proper encoding on the affected parameters susceptible to
	XSS, arbitrary JavaScript could be executed in the administrator's browser. The administrator's
	session cookie or other information from the session may be compromised by an malicious employee


	4. Solution

	Users can upgrade to 8.5.4 or later.
	Please find latest version from the Zkteco main website or they provide hardcopy of the software when you buy an Iface or any attendance devices make sure
	You install versions higher than 8.5.3