CVE-2017-17057

Name of the Vulnerable Software and Affected Versions ZKTime Web version 2.0.1.12280

Description The issue is related to insufficient filtration of user-supplied data in the Range field of the Department module in a Personnel Advanced Query. This allows a remote attacker to execute arbitrary HTML and script code in the browser in the context of the vulnerable application.

Recommendations For ZKTime Web version 2.0.1.12280, consider restricting access to the Department module in a Personnel Advanced Query to minimize the risk of exploitation. As a temporary workaround, avoid using the Range field in the vulnerable module until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.