← Advisories

ZKTeco ZKBioSecurity 3.0 Multiple XSS Vulnerabilities

Medium

Advisory ID

ZSL-2016-5363

Release Date

30 August 2016

Vendor

ZKTeco Inc. - http://www.zkteco.com

Affected Version

3.0.1.0_R_230, Platform: 3.0.1.0_R_230, Personnel: 1.0.1.0_R_1916, Access: 6.0.1.0_R_1757, Elevator: 2.0.1.0_R_777, Visitor: 2.0.1.0_R_877, Video:2.0.1.0_R_489, Adms: 1.0.1.0_R_197

CVE

CVE-2016-20027

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Microsoft Windows 7 Professional SP1 (EN), Apache-Coyote/1.1, Apache Tomcat/7.0.56

Summary

ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identification and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced solution for a whole new user experience.

Description

ZKBioSecurity suffers from multiple reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

zkbiosecurity_xss.txtTXT

Disclosure Timeline

18.07.2016Vulnerability discovered.

27.07.2016Vendor contacted.

29.08.2016No response from the vendor.

30.08.2016Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://cxsecurity.com/issue/WLB-2016080267

[2]https://exchange.xforce.ibmcloud.com/vulnerabilities/116476

[3]https://packetstormsecurity.com/files/138568

[4]https://www.cve.org/CVERecord?id=CVE-2016-20027

Changelog

30.08.2016Initial release

26.09.2016Added reference [1], [2] and [3]

24.03.2026Added reference [4]