CVE-2017-17056

Name of the Vulnerable Software and Affected Versions ZKTime Web Software version 2.0.1.12280

Description The issue allows an attacker to elevate privileges using the password change() function of the Modify Password component, accessible via the old password, new password1, and new password2 parameters to the "/accounts/password change/" URI. An attacker can create a crafted CSRF link to add themselves as an administrator, then use social engineering to trick an administrator into clicking the forged HTTP request, allowing the attacker to become the administrator. If successfully exploited, an attacker can escalate their privileges and become the administrator of the ZKTime Web Software.

Recommendations For ZKTime Web Software version 2.0.1.12280, consider disabling the password change() function until a patch is available to prevent privilege escalation. Restrict access to the "/accounts/password change/" URI to minimize the risk of exploitation. Avoid using the old password, new password1, and new password2 parameters in the affected API endpoint until the issue is resolved.