CVE-2017-16819

MEDIUM

Icon Time Systems RTC-1000 v2.5.7458 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-16819. PoCs published by Keith Thome.

AI-analyzed exploit summary This is a writeup detailing a stored XSS vulnerability in Icon Time Systems RTC-1000 firmware <= v2.5.7458. The vulnerability allows an attacker with valid credentials to inject malicious scripts into the 'First Name' field of an employee record, which executes when the name is displayed on other pages.

Description

A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name) field for the employee details page (/employee.html) that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges.

Exploits (1)

exploitdb WRITEUP
by Keith Thome · textwebappshardware
https://www.exploit-db.com/exploits/43158

This is a writeup detailing a stored XSS vulnerability in Icon Time Systems RTC-1000 firmware <= v2.5.7458. The vulnerability allows an attacker with valid credentials to inject malicious scripts into the 'First Name' field of an employee record, which executes when the name is displayed on other pages.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Icon Time Systems RTC-1000 <= v2.5.7458
Auth required
Prerequisites: Valid credentials with permissions to modify employee records
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43158/
Exploit, Mitigation, Technical Description, Third Party Advisory x_refsource_misc
https://www.keiththome.com/rtc-1000-vuln/

Scores

CVSS v3 5.4
EPSS 0.0190
EPSS Percentile 77.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
icontime/rtc-1000_firmware < 2.5.7458
Published Nov 17, 2017
Tracked Since Feb 18, 2026