PT-2017-14580 · Icon Time Systems · Icon Time Systems Rtc-1000

Published

2017-11-17

Updated

2017-12-04

CVE-2017-16819

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Icon Time Systems RTC-1000 versions 2.5.7458 and earlier

Description A stored cross-site scripting issue allows remote attackers to inject arbitrary JavaScript in the nameFirst field for the employee details page ("/employee.html") that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges.

Recommendations For Icon Time Systems RTC-1000 versions 2.5.7458 and earlier, as a temporary workaround, consider restricting access to the /employee.html page and avoid using the nameFirst field until a patch is available.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-16819

Affected Products

Icon Time Systems Rtc-1000

PT-2017-14580 · Icon Time Systems · Icon Time Systems Rtc-1000

CVE-2017-16819

Weakness Enumeration

Related Identifiers

Affected Products

References · 4