ZKTeco ZKAccess Security System Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in ZKTeco ZKAccess Security System version 5.3.1. This vulnerability allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Exploitation of this vulnerability could compromise user browser sessions and lead to the theft of sensitive information, such as cookie-based authentication credentials.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user's browser session on the affected site.

Reproduction

To reproduce this vulnerability, send a POST request to the '/data/iaccess/AccHolidays/_new_/' endpoint with injected script tags in the 'holiday_name' and 'memo' parameters. The request can be submitted using a form or through a tool that allows for custom POST requests.