ZKTeco ZKBioSecurity Reflected Cross-Site Scripting Vulnerability

A set of reflected cross-site scripting vulnerabilities has been identified in ZKTeco ZKBioSecurity version 3.0.1.0_R_230. These vulnerabilities allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in various scripts. Exploitation involves crafting URLs with XSS payloads that, when clicked, execute scripts in the context of the affected application.

Impact

Exploitation of these vulnerabilities allows for cross-site scripting, where injected scripts are executed in the context of the user's browser session on the affected site.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'authRoleAction!getAll.action' or 'authUserAction!getAll.action' endpoints. Include the 'filter:authGroupSet.id' parameter with a value that contains the XSS payload, such as an image tag with an 'onerror' event.