CVE-2022-44213

Vulnerability

ZKTeco ZKBio ECO ADMS (Automatic Data Master Server) versions up to and including 3.1-164 contain a stored cross-site scripting (XSS) vulnerability in the Employee Name field. The application is a web-based time and attendance management system. When an administrator adds a new employee via the System > Employee > Append menu, the Emp Name field does not sanitize user-supplied input, allowing arbitrary HTML and JavaScript to be stored and later executed in the context of other users viewing the employee list [1].

Exploitation

An attacker must have administrative access to the application (the default credentials admin/admin are documented). After logging in, the attacker navigates to System > Employee, clicks Append, and enters a malicious payload into the Emp Name field. The reference uses "/> as a proof-of-concept. Once the form is submitted, the payload is stored and executed when any user loads the employee list page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who views the affected employee list. This stored XSS can lead to session hijacking, credential theft, defacement, or further malicious actions within the context of the authenticated session [1].

Mitigation

The vendor has fixed the vulnerability in versions released after 3.1-164. Users should upgrade to the latest version of ZKBio ECO ADMS. If upgrading is not immediately possible, restrict administrative access to trusted users and avoid using default credentials [1].