CVE-2017-16819

Name of the Vulnerable Software and Affected Versions Icon Time Systems RTC-1000 versions 2.5.7458 and earlier

Description A stored cross-site scripting issue allows remote attackers to inject arbitrary JavaScript in the nameFirst field for the employee details page ("/employee.html") that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges.

Recommendations For Icon Time Systems RTC-1000 versions 2.5.7458 and earlier, as a temporary workaround, consider restricting access to the /employee.html page and avoid using the nameFirst field until a patch is available.