CVE-2016-20032

HIGH

ZKTeco ZKAccess Security System 5.3.1 Stored XSS

Title source: cna

Description

ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · htmlwebappsjsp

https://www.exploit-db.com/exploits/40328

View Code ZIP pw:eip

References (6)

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php

[Third Party Advisory] https://cxsecurity.com/issue/WLB-2016090004

[Vdb Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/116479

[Exploit] https://packetstormsecurity.com/files/138572

[Exploit] https://www.exploit-db.com/exploits/40328/

[Third Party Advisory] https://www.vulncheck.com/advisories/zkteco-zkaccess-security-system-stored-xss

Scores

CVSS v3 7.2

EPSS 0.0001

EPSS Percentile 2.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

ZKTeco Inc./ZKTeco ZKAccess Security System 5.3.12252

Published Mar 16, 2026

Tracked Since Mar 16, 2026