CVE-2016-20032

HIGH

ZKTeco ZKAccess Security System 5.3.1 Stored XSS

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20032. PoCs published by LiquidWorm.

AI-analyzed exploit summary This HTML file contains a functional proof-of-concept for a stored XSS vulnerability in ZKTeco ZKAccess Security System 5.3.1. It demonstrates how unsanitized input in the 'holiday_name' and 'memo' POST parameters can execute arbitrary JavaScript in the context of the affected site.

Description

ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · htmlwebappsjsp
https://www.exploit-db.com/exploits/40328

This HTML file contains a functional proof-of-concept for a stored XSS vulnerability in ZKTeco ZKAccess Security System 5.3.1. It demonstrates how unsanitized input in the 'holiday_name' and 'memo' POST parameters can execute arbitrary JavaScript in the context of the affected site.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: ZKTeco ZKAccess Security System 5.3.12252
Auth required
Prerequisites: Access to the vulnerable web interface · Valid session or authentication credentials
devstral-2 · analyzed Mar 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory third-party-advisory
Zero Science Lab Disclosure
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php
Third Party Advisory third-party-advisory
CXSecurity
https://cxsecurity.com/issue/WLB-2016090004
Vdb Entry vdb-entry
IBM X-Force Exchange
https://exchange.xforce.ibmcloud.com/vulnerabilities/116479
Exploit exploit
Packet Storm Security
https://packetstormsecurity.com/files/138572
Exploit exploit
Reference
https://www.exploit-db.com/exploits/40328/
Third Party Advisory third-party-advisory
VulnCheck Advisory: ZKTeco ZKAccess Security System 5.3.1 Stored XSS
https://www.vulncheck.com/advisories/zkteco-zkaccess-security-system-stored-xss

Scores

CVSS v3 7.2
EPSS 0.0002
EPSS Percentile 4.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
ZKTeco Inc./ZKTeco ZKAccess Security System 5.3.1
ZKTeco Inc./ZKTeco ZKAccess Security System 5.3.12252
Published Mar 16, 2026
Tracked Since Mar 16, 2026