CVE-2022-32171 - OpenCVE

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the javascript payload will be executed and allow an attacker to access the user’s credentials.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zinclabs	Zinc

Configuration 1 [-]

cpe:2.3:a:zinclabs:zinc:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d
https://www.mend.io/vulnerability-database/CVE-2022-32171

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-10-06T17:14:15.732295Z

Updated: 2024-09-17T01:41:50.446Z

Reserved: 2022-05-31T00:00:00

Link: CVE-2022-32171

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-06T18:16:02.610

Modified: 2023-11-07T03:47:44.773

Link: CVE-2022-32171

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-32171", "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "datePublished": "2022-10-06T17:14:15.732295Z", "dateUpdated": "2024-09-17T01:41:50.446Z", "dateReserved": "2022-05-31T00:00:00"}, "containers": {"cna": {"title": "Zinc - Stored XSS", "datePublic": "2022-09-28T00:00:00", "providerMetadata": {"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the javascript payload will be executed and allow an attacker to access the user\u2019s credentials."}], "affected": [{"vendor": "zinc", "product": "zinc", "versions": [{"version": "v0.1.9", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v0.3.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d"}, {"url": "https://www.mend.io/vulnerability-database/CVE-2022-32171"}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "metrics": [{"other": {"type": "unknown", "content": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "version": 3.1, "baseScore": 5.4, "baseSeverity": "MEDIUM"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "solutions": [{"lang": "en", "value": "Update version to v0.3.2 or later"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:32:55.958Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d", "tags": ["x_transferred"]}, {"url": "https://www.mend.io/vulnerability-database/CVE-2022-32171", "tags": ["x_transferred"]}]}]}}