Skip to content

Instantly share code, notes, and snippets.

Forked from hamoshwani/CVE-2022-38802
Created January 25, 2023 05:21
What would you like to do?
Administrator can exploit XSS into local file read using PDF generator in Zkteco Biotime
Security Advisory
Topic: Administrator can exploit XSS into local file read using PDF generator in Zkteco Biotime
Category: Zkteco Biotime
Module: webgui
Announced: 01-09-2022
Credits: Ahmed Kameran From --
CVE ID: CVE-2022-38802
Affects: BioTime - < 8.5.3 Build:20200816.447
Corrected: BioTime - > 8.5.3 Build:20200816.447
1. Background
BioTime 8.0 is a powerful web-based time and attendance management software that provides a stable connection to ZKTeco's
standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to
offer employee self-service by mobile application and web browser.
2. Problem Description
A Cross-Site Scripting (XSS) vulnerabilities was found in
BioTime BioTime - < 8.5.3 Build:20200816.447 that could lead to local file read when you try to export injected payload using pdf
the pdf generator will simply execute the javascript code inside the injected payload that can lead to Local file read
Vulenrable models:
1- When reassigning an employee
Parameter: reason
2- When send private message
3-When adding manual log
4-When adding timetable
5-When adding shift
This got reflected when adding department schedule and employee schedule
6-Xss when adding leave,manuallog,overtime,training
same parameter (reason)
7-When adding holiday
3. Impact
Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed by pdf generator's headless browser that could lead to local file read
4. Solution
Users can upgrade to 8.5.4 or later.
Please find latest version from the Zkteco main website or they provide hardcopy of the software when you buy an Iface or any attendance devices make sure
You install versions higher than 8.5.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment