ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability

Title: ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability
Advisory ID: ZSL-2016-5368
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 31.08.2016
Summary
ZKAccess Systems are built on flexible, open technology to provide management, real-time monitoring, and control of your access control system-all from a browser, with no additional software to install. Our secure Web-hosted infrastructure and centralized online administration reduce your IT costs and allow you to easily manage all of your access points in a single location. C3-100's versatile design features take care of present and future needs with ease and efficiency. It is one of the most rugged and reliable controllers on the market, with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000 cardholders.
Description
Input passed to the 'holiday_name' and 'memo' POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
ZKTeco Inc. - http://www.zkteco.com
Affected Version
5.3.12252
Tested On
CherryPy/3.1.0beta3 WSGI Server
Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016
Python 2.6
Vendor Status
[18.07.2016] Vulnerability discovered.
[27.07.2016] Vendor contacted.
[29.08.2016] No response from the vendor.
[31.08.2016] Public security advisory released.
PoC
zkaccess_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://cxsecurity.com/issue/WLB-2016090004
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/116479
[3] https://packetstormsecurity.com/files/138572
[4] https://www.exploit-db.com/exploits/40328/
Changelog
[31.08.2016] - Initial release
[26.09.2016] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk