Vulnerability Details CVE-2017-16819
A stored cross-site scripting vulnerability in the Icon Time Systems RTC-1000 v2.5.7458 and earlier time clock allows remote attackers to inject arbitrary JavaScript in the nameFirst (aka First Name) field for the employee details page (/employee.html) that is then reflected in multiple pages where that field data is utilized, resulting in session hijacking and possible elevation of privileges.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 76.9%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
Products affected by CVE-2017-16819
-
cpe:2.3:h:icontime:rtc-1000:-
-
cpe:2.3:o:icontime:rtc-1000_firmware:2.5.7458