Last active
September 27, 2022 19:19
-
-
Save hamoshwani/5ac860dd6757440174f446c62b24653f to your computer and use it in GitHub Desktop.
Employee can hijack an administrator session and cookies using blind cross-site scripting in Zkteco Biotime
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Security Advisory | |
Topic: Employee can hijack an administrator session and cookies using blind cross-site scripting in Zkteco Biotime | |
Category: Zkteco Biotime | |
Module: webgui | |
Announced: 01-09-2022 | |
Credits: Ahmed Kameran From https://technobase.krd/ -- https://twitter.com/hamoshwani | |
CVE ID: CVE-2022-38801 | |
Affects: BioTime - < 8.5.3 Build:20200816.447 | |
Corrected: BioTime - > 8.5.3 Build:20200816.447 | |
1. Background | |
BioTime 8.0 is a powerful web-based time and attendance management software that provides a stable connection to ZKTeco's | |
standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to | |
offer employee self-service by mobile application and web browser. | |
2. Problem Description | |
A Cross-Site Scripting (XSS) vulnerabilities was found in | |
BioTime BioTime - < 8.5.3 Build:20200816.447 when an employee try to request approval from administrator he/she can | |
insert javascript codes instead of reason's for their request. | |
The page did not encode the reason parameter when an employe requests for Leave or overtime or Manual log | |
3. Impact | |
Due to the lack of proper encoding on the affected parameters susceptible to | |
XSS, arbitrary JavaScript could be executed in the administrator's browser. The administrator's | |
session cookie or other information from the session may be compromised by an malicious employee | |
4. Solution | |
Users can upgrade to 8.5.4 or later. | |
Please find latest version from the Zkteco main website or they provide hardcopy of the software when you buy an Iface or any attendance devices make sure | |
You install versions higher than 8.5.3 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment