ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Active
User action required
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 5
https://cxsecurity.com/issue/WLB-2016080267
disclosure@vulncheck.com
https://exchange.xforce.ibmcloud.com/vulnerabilities/116476
disclosure@vulncheck.com
https://packetstormsecurity.com/files/138568
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-multiple-reflected-xs…
disclosure@vulncheck.com
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5363.php
disclosure@vulncheck.com