CVE-2017-17056

ZKTeco ZKTime Web 2.0.1.12280 Cross Site Request Forgery

Severity Score

8.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevate the privileges of the application user using a 'password_change()' function of the Modify Password component, reachable via the old_password, new_password1, and new_password2 parameters to the /accounts/password_change/ URI. An attacker takes advantage of this scenario and creates a crafted CSRF link to add himself as an administrator to the ZKTime Web Software. He then uses social engineering methods to trick the administrator into clicking the forged HTTP request. The request is executed and the attacker becomes the Administrator of the ZKTime Web Software. If the vulnerability is successfully exploited, then an attacker (who would be a normal user of the web application) can escalate his privileges and become the administrator of ZKTime Web Software.

ZKTime Web Software 2.0.1.12280 permite que el administrador eleve los privilegios del usuario de la aplicación empleando una función "password_change()" del componente Modify Password, alcanzable mediante los parámetros old_password, new_password1 y new_password2 en el URI /accounts/password_change/. Un atacante se aprovecha de este escenario y crea un enlace CSRF manipulado para añadirse a sí mismo como administrador de ZKTime Web Software. Después, emplea métodos de ingeniería social para engañar al administrador y que haga clic en la petición HTTP falsificada. La petición se ejecuta y el atacante se convierte en el Administrador de ZKTime Web Software. Si la vulnerabilidad se explota con éxito, un atacante (que sería un usuario normal de la aplicación web) puede escalar sus privilegios y convertirse en el administrador de ZKTime Web Software.

ZKTeco ZKTime Web version 2.0.1.12280 suffers from a cross site request forgery vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-11-29 CVE Reserved
2017-11-30 CVE Published
2023-09-19 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (2)

URL	Tag	Source
http://www.securityfocus.com/bid/102007	Third Party Advisory

URL	Date	SRC
http://packetstormsecurity.com/files/145160/ZKTeco-ZKTime-Web-2.0.1.12280-Cross-Site-Request-Forgery.html	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zkteco Search vendor "Zkteco"		Zktime Web Search vendor "Zkteco" for product "Zktime Web"				2.0.1.12280 Search vendor "Zkteco" for product "Zktime Web" and version "2.0.1.12280"		-		Affected