CVE-2016-20032

| EUVD-2016-10819 HIGH
2026-03-15 VulnCheck
7.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 14:00 euvd
EUVD-2016-10819
Analysis Generated
Mar 15, 2026 - 14:00 vuln.today
CVE Published
Mar 15, 2026 - 13:35 nvd
HIGH 7.2

Tags

XSS Zkteco Zkaccess Security System

Description

ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.

Analysis

Stored cross-site scripting (XSS) vulnerability in ZKTeco ZKAccess Security System 5.3.1 that allows remote attackers to inject malicious scripts via the 'holiday_name' and 'memo' POST parameters without authentication. Multiple public proof-of-concept exploits are available, making this vulnerability actively exploitable in unpatched systems.

Technical Context

This vulnerability affects ZKTeco ZKAccess Security System version 5.3.1 and potentially earlier versions (CPE indicates all versions with wildcard). The CWE-79 classification indicates improper neutralization of user-supplied input before outputting it to web pages. The system fails to sanitize the 'holiday_name' and 'memo' POST parameters, allowing JavaScript and HTML injection that persists in the database (stored XSS). ZKAccess is a physical access control and time attendance management system, making this particularly concerning as it could compromise security infrastructure.

Affected Products

ZKTeco ZKAccess Security System version 5.3.1 is specifically confirmed vulnerable. The CPE string (cpe:2.3:a:zkteco_inc.:zkteco_zkaccess_security_system:*:*:*:*:*:*:*:*) with wildcards suggests all versions may be affected, though only 5.3.1 is explicitly tested. This is a physical security access control and time attendance system manufactured by ZKTeco Inc.

Remediation

No specific patch information is available in the provided references. Recommended actions: 1) Contact ZKTeco support for updates beyond version 5.3.1, 2) Implement input validation and output encoding for the 'holiday_name' and 'memo' parameters as immediate mitigation, 3) Deploy a Web Application Firewall (WAF) to filter XSS payloads, 4) Restrict network access to the ZKAccess management interface to trusted IP addresses only. The vendor advisory link (vulncheck.com) should be consulted for potential updates.

Priority Score

56
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: +20

Share

CVE-2016-20032 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy